Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe

Overview

General Information

Sample URL:https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe
Analysis ID:1589812
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Drops large PE files
Infects executable files (exe, dll, sys, html)
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6716 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • wget.exe (PID: 4308 cmdline: wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)
  • CloudCompare_v2.14.alpha_setup_x64.exe (PID: 1236 cmdline: "C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe" MD5: 4FA9171C45161772572CB136422EA7FD)
    • CloudCompare_v2.14.alpha_setup_x64.tmp (PID: 2176 cmdline: "C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp" /SL5="$B01CE,353634964,780800,C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe" MD5: CA9D0BC1FC3C0AEBE22047A2DCBCD715)
      • vcredist_2013_x64.exe (PID: 1628 cmdline: "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestart MD5: 49B1164F8E95EC6409EA83CDB352D8DA)
        • vcredist_2013_x64.exe (PID: 3792 cmdline: "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{52F10DF7-B7C8-4B5E-AFC8-2BA7C00A35CC} {589A9A7F-E5FB-4992-ADCC-7C833A7A6873} 1628 MD5: 49B1164F8E95EC6409EA83CDB352D8DA)
      • VC_redist.x64.exe (PID: 2520 cmdline: "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" /install /quiet /norestart MD5: 223A76CD5AB9E42A5C55731154B85627)
        • VC_redist.x64.exe (PID: 1168 cmdline: "C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=684 /install /quiet /norestart MD5: 3F32F1A9BD60AE065B89C2223676592E)
          • VC_redist.x64.exe (PID: 6156 cmdline: "C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{60D065C7-249B-4C30-AB63-A887FF5234A5} {42CC66AD-E068-43D3-BEEF-9923C01C6D50} 1168 MD5: 3F32F1A9BD60AE065B89C2223676592E)
            • VC_redist.x64.exe (PID: 1436 cmdline: "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156 MD5: 35E545DAC78234E4040A99CBB53000AC)
              • VC_redist.x64.exe (PID: 5532 cmdline: "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156 MD5: 35E545DAC78234E4040A99CBB53000AC)
                • VC_redist.x64.exe (PID: 5268 cmdline: "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{935F69E9-7A94-4F90-8C25-27F6F541247F} {146765A4-B826-46FA-82C4-51D72A57D3AB} 5532 MD5: 35E545DAC78234E4040A99CBB53000AC)
  • SrTasks.exe (PID: 4504 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 3636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • msiexec.exe (PID: 3480 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
  • vcredist_x64.exe (PID: 5248 cmdline: "C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe" /burn.runonce MD5: 3284088A2D414D65E865004FDB641936)
    • vcredist_x64.exe (PID: 3512 cmdline: "C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe" MD5: 3284088A2D414D65E865004FDB641936)
  • SrTasks.exe (PID: 6276 cmdline: C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2 MD5: 2694D2D28C368B921686FE567BD319EB)
    • conhost.exe (PID: 5884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • VC_redist.x64.exe (PID: 2824 cmdline: "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" /burn.runonce MD5: 3F32F1A9BD60AE065B89C2223676592E)
    • VC_redist.x64.exe (PID: 1020 cmdline: "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" MD5: 3F32F1A9BD60AE065B89C2223676592E)
      • VC_redist.x64.exe (PID: 1712 cmdline: "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=560 MD5: 3F32F1A9BD60AE065B89C2223676592E)
  • LogonUI.exe (PID: 5468 cmdline: "LogonUI.exe" /flags:0x4 /state0:0xa3f5d855 /state1:0x41c64e6d MD5: 893144FE49AA16124B5BD3034E79BBC6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1816, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, ProcessId: 6716, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1816, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, ProcessId: 6716, ProcessName: cmd.exe
Sigma detected: Usage Of Web Request Commands And Cmdlets
Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, CommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1816, ProcessCommandLine: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1, ProcessId: 6716, ProcessName: cmd.exe
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe" /burn.runonce, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe, ProcessId: 1628, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01027BC4 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,11_2_01027BC4
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01008566 CryptHashPublicKeyInfo,GetLastError,11_2_01008566
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_010086E7 DecryptFileW,11_2_010086E7
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0005BD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,20_2_0005BD11
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0005BAF6 DecryptFileW,DecryptFileW,20_2_0005BAF6
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00084C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,20_2_00084C0F
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F5BD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,21_2_00F5BD11
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F5BAF6 DecryptFileW,DecryptFileW,21_2_00F5BAF6
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F84C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,21_2_00F84C0F
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E1BAF6 DecryptFileW,DecryptFileW,22_2_00E1BAF6
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E44C0F CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,22_2_00E44C0F
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E1BD11 ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,DecryptFileW,LocalFree,22_2_00E1BD11
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_008486E7 DecryptFileW,24_2_008486E7
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00867BC4 _memset,CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,ReadFile,CryptHashData,ReadFile,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,GetLastError,CryptDestroyHash,CryptReleaseContext,24_2_00867BC4
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00848566 CryptHashPublicKeyInfo,GetLastError,24_2_00848566
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003AF961 CryptAcquireContextW,GetLastError,CryptCreateHash,GetLastError,CryptHashData,ReadFile,GetLastError,CryptDestroyHash,CryptReleaseContext,GetLastError,CryptGetHashParam,GetLastError,SetFilePointerEx,GetLastError,28_2_003AF961
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_00389C99 DecryptFileW,DecryptFileW,28_2_00389C99
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_00389EB7 DecryptFileW,28_2_00389EB7
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompareJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-3I2RF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-H56RN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6IHF9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-LJVC9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-SO95H.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-SFND1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-1VP0Q.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-CCDAV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-I8O1V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-MKFA9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-Q2JU3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-DT4KF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-V004I.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6DPM8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-APHKU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-V4ADI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-HHJ51.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-QD77L.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-GATN0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6BGF0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-VU1V5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-99499.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-V9DQ4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-HTR5G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F1QIM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-L7EPR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-B9FNV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-7J7HR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-5D63B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-7LCC4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-7NNEC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-M0H8O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-8L6OS.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-2S06S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-M0CV0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-9SOIV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-DDLV2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F214P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-SNQFL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-GB8D9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-8S25L.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-GAFKM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-BJQA3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NQS8E.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-RJD0C.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-R0BP9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-N64S1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-9A695.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-L996V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-3VB9A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-07UN8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-R0L87.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-OJOL7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-I9FFI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-266HF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6CQIB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F0AAS.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-VPRAO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-BV34F.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-ING89.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-3JOBL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-U49DL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F0HDV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-DRUUQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-535VA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-TI1V0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NNIFO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-KL3UM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-LLTHK.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-RBGPI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-B0PFH.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-KFN4K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-P0EIB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-4URC3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-C9PN3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NHH1D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-N8BL5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-5JMP9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NJKK5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-L5GPO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\gamepadsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\gamepads\is-L18HT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\iconenginesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\iconengines\is-RRTNV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformatsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-367OG.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-7T26D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-7IO49.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-SH6IR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-44QPR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-IM3K5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-KNAC1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-GFP8L.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-PJDHV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\platformsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\platforms\is-6MC3O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\pluginsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-M4ACU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-2U5C6.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-9T5UJ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-3BH9T.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-VASEO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-THO45.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-5BU1G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-I0DFD.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-E1RT6.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-O0IBB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-A0I0D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-6N5GV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-K8P80.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-8FUGF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-BSE53.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-NOEVB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-JJO2V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-AG6MA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-DBST9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-57LVB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-9GD5R.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-PLAJK.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-R1KQO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-IC39K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-JJSCB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-5SLJ3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-6J6J7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-PV2B0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-S1MM7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-EFKJI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-46B0F.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-FF747.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-4RO78.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-PJC7N.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-LVH07.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-68KA0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-IB676.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-5LEMA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-P1BK8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-0I154.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-RID1O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-Q5HQ4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shadersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\BilateralJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\Bilateral\is-FD029.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\Bilateral\is-FEVIA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\ColorRampJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\ColorRamp\is-GNU6M.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormalsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormals\is-5C51S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormals\is-AJJK2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormals\is-LN22A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-EQE9P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-SE7GB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-28PND.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-6I1PT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\SSAOJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\SSAO\is-VTJ2O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\SSAO\is-RDTS8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\stylesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\styles\is-A61TV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translationsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-294HR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-G01DC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-AO8GC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-3F5TJ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-PT2MR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-5AB9D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-NFPBE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-C7NFU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-BHD9M.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-K6TQI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-K4A07.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-P9EIR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-GSJV3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-DIV8J.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-V7HLF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-DBN7V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-1DAVQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-FOCV9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-LER5S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-9BVL4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-HKH8K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-90PEC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-SHR09.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-P7642.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-14MA9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-3HA9J.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-SM57C.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-8K72G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-GM09G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-PVM8M.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-5O3HT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-JFB27.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-1VHV2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SystemRestore SRInitDoneJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DE0A2C8-03F9-4B3F-BAFC-1D5F2141464B}_is1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtfJump to behavior
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1028\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1029\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1031\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1036\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1040\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1041\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1042\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1045\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1046\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1049\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1055\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\2052\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\3082\license.rtf
Source: Binary string: MFCM120U.amd64.pdb source: mfcm120u.dll.19.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe, 0000001C.00000002.5076405329.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001D.00000002.5069899828.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001E.00000002.5066811757.00000000003BB000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrent.pdb source: is-NQS8E.tmp.10.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb source: VC_redist.x64.exe, 00000014.00000000.4828099835.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000015.00000002.5083123529.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000015.00000000.4831471787.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000016.00000002.5080951014.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 00000016.00000003.4979220133.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000016.00000000.4844312637.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 0000001F.00000000.5094031159.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 0000001F.00000002.5102159004.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000002.5472779495.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000000.5095675088.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000000.5098146674.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000002.5473438320.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x64.exe, 00000019.00000002.5481621682.000000006BA05000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_2013_x64.exe, 0000000B.00000000.4634022863.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000002.4824554047.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000000.4635349255.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_x64.exe, 00000018.00000000.4906891056.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000018.00000002.4941939991.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000000.4937116937.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000002.5472722655.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe.13.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_2013_x64.exe, 0000000B.00000003.4776674509.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, vcredist_2013_x64.exe, 0000000B.00000003.4779903913.0000000000BD1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrent.pdb source: is-NQS8E.tmp.10.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb`E source: vcredist_x64.exe.13.dr
Source: Binary string: MFCM120U.amd64.pdb8@ source: mfcm120u.dll.19.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixStdBA.pdb source: VC_redist.x64.exe, 00000021.00000002.5481724457.000000006C213000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb4 source: VC_redist.x64.exe, 00000014.00000000.4828099835.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000015.00000002.5083123529.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000015.00000000.4831471787.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000016.00000002.5080951014.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 00000016.00000003.4979220133.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000016.00000000.4844312637.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 0000001F.00000000.5094031159.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 0000001F.00000002.5102159004.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000002.5472779495.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000000.5095675088.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000000.5098146674.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000002.5473438320.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x64.exe, 00000019.00000002.5481621682.000000006BA05000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb` source: vcredist_2013_x64.exe, 0000000B.00000000.4634022863.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000002.4824554047.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000000.4635349255.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_x64.exe, 00000018.00000000.4906891056.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000018.00000002.4941939991.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000000.4937116937.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000002.5472722655.000000000086B000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: is-7T26D.tmp.10.dr

Spreading

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140jpn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140ita.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140deu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140chs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140enu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc120u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\concrt140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140fra.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vccorlib140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_atomic_wait.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcomp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140cht.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140rus.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm120u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140kor.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_codecvt_ids.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcr120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcamp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcruntime140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vccorlib120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile opened: c:
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01009065 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,11_2_01009065
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01025D1F _memset,FindFirstFileW,FindClose,11_2_01025D1F
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01026CB2 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,11_2_01026CB2
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00041700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,20_2_00041700
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00043B2C FindFirstFileW,FindClose,20_2_00043B2C
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007C2AF FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_0007C2AF
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0005B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,20_2_0005B79F
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F5B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,21_2_00F5B79F
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F41700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,21_2_00F41700
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F43B2C FindFirstFileW,FindClose,21_2_00F43B2C
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7C2AF FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00F7C2AF
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E1B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,22_2_00E1B79F
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E01700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,22_2_00E01700
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E03B2C FindFirstFileW,FindClose,22_2_00E03B2C
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3C2AF FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_00E3C2AF
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00866CB2 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,24_2_00866CB2
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00849065 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,24_2_00849065
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00865D1F _memset,FindFirstFileW,FindClose,24_2_00865D1F
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 25_2_6B9FA685 _memset,FindFirstFileW,FindClose,25_2_6B9FA685
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_00373BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,28_2_00373BC3
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003B4315 FindFirstFileW,FindClose,28_2_003B4315
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0038993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,28_2_0038993E
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packagesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01016FEC InternetReadFile,WriteFile,WriteFile,GetLastError,GetLastError,11_2_01016FEC
Source: VC_redist.x64.exeString found in binary or memory: http://appsyndication.org/2006/appsyn
Source: VC_redist.x64.exe, 0000001C.00000002.5076405329.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001D.00000002.5069899828.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001E.00000002.5066811757.00000000003BB000.00000002.00000001.01000000.00000014.sdmpString found in binary or memory: http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgor
Source: VC_redist.x64.exe, 00000014.00000000.4828099835.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000015.00000002.5083123529.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000015.00000000.4831471787.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000016.00000002.5080951014.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 00000016.00000003.4979220133.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000016.00000000.4844312637.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 0000001F.00000000.5094031159.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 0000001F.00000002.5102159004.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000002.5472779495.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000000.5095675088.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000000.5098146674.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000002.5473438320.0000000000EFE000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: http://appsyndication.org/2006/appsynapplicationc:
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: is-7T26D.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://ccsca2021.crl.certum.pl/ccsca2021.crl0s
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://ccsca2021.ocsp-certum.com05
Source: is-LVH07.tmp.10.drString found in binary or memory: http://cg.cs.uni-bonn.de/en/publications/paper-details/schnabel-2007-efficient/
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: is-TI1V0.tmp.10.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: is-7T26D.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/Dza
Source: is-7T26D.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: is-7T26D.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: is-TI1V0.tmp.10.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0A
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.dr, is-3I2RF.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0C
Source: is-7T26D.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0N
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0O
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://ocsp.digicert.com0X
Source: is-TI1V0.tmp.10.drString found in binary or memory: http://ocsp.sectigo.com0
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://repository.certum.pl/ccsca2021.cer0
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://subca.ocsp-certum.com02
Source: vcredist_2013_x64.exe, 0000000D.00000003.4822154532.0000000001780000.00000004.00000020.00020000.00000000.sdmp, vcredist_2013_x64.exe, 0000000D.00000003.4636365367.000000000110F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000015.00000002.5085142295.0000000003650000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000015.00000002.5084483777.0000000001620000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64.exe, 00000018.00000003.4935544989.0000000000664000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5477265200.0000000001220000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000003.4938745251.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 0000001D.00000002.5072566210.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 0000001D.00000002.5072100212.0000000003490000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000021.00000002.5480500041.0000000003850000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000021.00000002.5478450343.00000000033E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010
Source: vcredist_2013_x64.exe, 0000000D.00000003.4821377116.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5480305652.0000000003510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010(
Source: VC_redist.x64.exe, 00000015.00000002.5085142295.0000000003650000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 0000001D.00000002.5072566210.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000021.00000002.5480500041.0000000003850000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010Hd#la
Source: vcredist_2013_x64.exe, 0000000D.00000003.4821377116.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5480305652.0000000003510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010and
Source: vcredist_2013_x64.exe, 0000000D.00000003.4821377116.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5480305652.0000000003510000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/schemas/thmutil/2010lureH
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: http://www.certum.pl/CPS0
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.5134796951.000000000231A000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000003.5128550853.00000000024DD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cloudcompare.org/
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4262642089.0000000002570000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000003.4270961139.0000000003480000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cloudcompare.org/8http://www.cloudcompare.org/8http://www.cloudcompare.org/.2.14.alpha
Source: is-LVH07.tmp.10.drString found in binary or memory: http://www.cloudcompare.org/doc/wiki/index.php?title=RANSAC_Shape_Detection_(plugin)
Source: is-LVH07.tmp.10.drString found in binary or memory: http://www.cloudcompare.org/doc/wiki/index.php?title=RANSAC_Shape_Detection_(plugin)dtypehStandard
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.5134796951.000000000231A000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000003.5128550853.00000000024DD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.cloudcompare.org/q
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000000.4262184176.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: is-TI1V0.tmp.10.drString found in binary or memory: https://sectigo.com/CPS0C
Source: wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: https://www.certum.pl/CPS0
Source: wget.exe, 00000002.00000002.4218026127.0000000000B10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe
Source: wget.exe, 00000002.00000002.4218195091.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe%
Source: wget.exe, 00000002.00000002.4218195091.0000000000C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe?
Source: wget.exe, 00000002.00000002.4218195091.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exeOF_P
Source: wget.exe, 00000002.00000002.4218195091.0000000000C30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exeamDat0
Source: is-7T26D.tmp.10.dr, is-TI1V0.tmp.10.dr, is-NQS8E.tmp.10.drString found in binary or memory: https://www.digicert.com/CPS0
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000000.4268735582.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: https://www.innosetup.com/
Source: CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000000.4268735582.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-3I2RF.tmp.10.drString found in binary or memory: https://www.remobjects.com/ps

System Summary

barindex
Drops large PE files
Source: C:\Windows\SysWOW64\wget.exeFile dump: CloudCompare_v2.14.alpha_setup_x64.exe.2.dr 355083480Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b0f8.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{53CF6934-A98D-3D84-9146-FC4EDF3D5641}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB2CD.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcp120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcr120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vcamp120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vccorlib120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vcomp120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b0fe.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b0fe.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b0ff.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{010792BA-551A-3AC0-A7EF-0FAB4156C382}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB88B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120chs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120cht.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120deu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120enu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120esn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120fra.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120ita.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120jpn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120kor.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120rus.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc120u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfcm120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfcm120u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b106.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b106.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b107.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1BA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{382F1166-A409-4C5B-9B1E-85ED538B8291}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI313.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\concrt140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcp140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcp140_2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcp140_atomic_wait.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\msvcp140_codecvt_ids.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vcamp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vccorlib140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vcomp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vcruntime140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\vcruntime140_threads.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b117.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b117.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b118.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID36.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E1902FC6-C423-4719-AB8A-AC7B2694B367}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF1B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140chs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140cht.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140deu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140enu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140esn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140fra.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140ita.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140jpn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140kor.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140rus.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfc140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfcm140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\system32\mfcm140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b12b.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\61b12b.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\61b0fe.msiJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007F01820_2_0007F018
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0008406A20_2_0008406A
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_000771EE20_2_000771EE
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007229920_2_00072299
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007256020_2_00072560
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007757C20_2_0007757C
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007A7B320_2_0007A7B3
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007281B20_2_0007281B
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007EB9020_2_0007EB90
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00071C7D20_2_00071C7D
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00065D9B20_2_00065D9B
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0006DE4620_2_0006DE46
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00047FA920_2_00047FA9
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00071FEF20_2_00071FEF
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F8406A21_2_00F8406A
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7F01821_2_00F7F018
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F771EE21_2_00F771EE
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7229921_2_00F72299
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7757C21_2_00F7757C
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7256021_2_00F72560
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7A7B321_2_00F7A7B3
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7281B21_2_00F7281B
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7EB9021_2_00F7EB90
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F71C7D21_2_00F71C7D
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F65D9B21_2_00F65D9B
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F6DE4621_2_00F6DE46
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F71FEF21_2_00F71FEF
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F47FA921_2_00F47FA9
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E25D9B22_2_00E25D9B
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E4406A22_2_00E4406A
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3F01822_2_00E3F018
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E371EE22_2_00E371EE
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3229922_2_00E32299
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3256022_2_00E32560
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3757C22_2_00E3757C
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3A7B322_2_00E3A7B3
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3281B22_2_00E3281B
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3EB9022_2_00E3EB90
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E31C7D22_2_00E31C7D
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E2DE4622_2_00E2DE46
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E31FEF22_2_00E31FEF
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E07FA922_2_00E07FA9
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0039C0FA28_2_0039C0FA
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0037618428_2_00376184
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003A022D28_2_003A022D
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003AA3B028_2_003AA3B0
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003A066228_2_003A0662
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0037A7EF28_2_0037A7EF
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003AA85E28_2_003AA85E
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0039F91928_2_0039F919
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003869CC28_2_003869CC
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003A0A9728_2_003A0A97
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003A2B2128_2_003A2B21
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003A2D5028_2_003A2D50
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003AED4C28_2_003AED4C
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0039FE1528_2_0039FE15
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: String function: 00860126 appears 655 times
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: String function: 00862F06 appears 462 times
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: String function: 6B9F10E3 appears 70 times
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: String function: 0085FD42 appears 35 times
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: String function: 00861D32 appears 59 times
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: String function: 6B9FAFD3 appears 31 times
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: String function: 00865A1A appears 73 times
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: String function: 00F413B3 appears 502 times
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: String function: 00F87952 appears 79 times
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: String function: 00F429F6 appears 54 times
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: String function: 00F70B80 appears 33 times
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: String function: 00F853E7 appears 684 times
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: String function: 00F858CE appears 34 times
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: String function: 00E47952 appears 79 times
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: String function: 00E30B80 appears 33 times
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: String function: 00E453E7 appears 685 times
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: String function: 00E013B3 appears 502 times
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: String function: 00E458CE appears 34 times
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: String function: 00E029F6 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: String function: 01025A1A appears 73 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: String function: 01021D32 appears 59 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: String function: 01020126 appears 655 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: String function: 0101FD42 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: String function: 01022F06 appears 462 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: String function: 000858CE appears 34 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: String function: 000429F6 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: String function: 00070B80 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: String function: 00087952 appears 79 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: String function: 000853E7 appears 683 times
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: String function: 000413B3 appears 501 times
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: String function: 003B31C7 appears 85 times
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: String function: 00371F20 appears 54 times
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: String function: 003B012F appears 678 times
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: String function: 003B061A appears 34 times
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: String function: 003737D3 appears 496 times
Source: CloudCompare_v2.14.alpha_setup_x64.tmp.8.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-3I2RF.tmp.10.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-7J7HR.tmp.10.drStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
Source: is-LJVC9.tmp.10.drStatic PE information: Number of sections : 12 > 10
Source: is-B9FNV.tmp.10.drStatic PE information: Number of sections : 19 > 10
Source: is-SO95H.tmp.10.drStatic PE information: Number of sections : 12 > 10
Source: is-6IHF9.tmp.10.drStatic PE information: Number of sections : 13 > 10
Source: is-L7EPR.tmp.10.drStatic PE information: Number of sections : 19 > 10
Source: classification engineClassification label: mal56.spre.evad.win@37/669@0/1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101F9C6 FormatMessageW,GetLastError,LocalFree,11_2_0101F9C6
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_00FF13BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,11_2_00FF13BA
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_000462C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,20_2_000462C2
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F462C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,21_2_00F462C2
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E062C2 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,22_2_00E062C2
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_008313BA GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,24_2_008313BA
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003744E9 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,Sleep,InitiateSystemShutdownExW,GetLastError,CloseHandle,28_2_003744E9
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0102726D CLSIDFromProgID,CoCreateInstance,11_2_0102726D
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 25_2_6B9FA6F8 FindResourceExA,GetLastError,LoadResource,GetLastError,SizeofResource,GetLastError,LockResource,GetLastError,25_2_6B9FA6F8
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0100EDC2 ChangeServiceConfigW,GetLastError,11_2_0100EDC2
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompareJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3636:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5884:120:WilError_03
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeFile created: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: cabinet.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: msi.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: version.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: wininet.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: comres.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: clbcatq.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: msasn1.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: crypt32.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: feclient.dll20_2_000410E1
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCommand line argument: cabinet.dll20_2_000410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: cabinet.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: msi.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: version.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: wininet.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: comres.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: clbcatq.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: msasn1.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: crypt32.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: feclient.dll21_2_00F410E1
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCommand line argument: cabinet.dll21_2_00F410E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: `22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: x22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: version.dll22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: wininet.dll22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: comres.dll22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: clbcatq.dll22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: msasn1.dll22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: crypt32.dll22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: feclient.dll22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: `22_2_00E010E1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCommand line argument: `22_2_00E010E1
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: cabinet.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: msi.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: version.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: wininet.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: comres.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: clbcatq.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: msasn1.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: crypt32.dll28_2_00371070
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCommand line argument: feclient.dll28_2_00371070
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile read: C:\Program Files\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: vcredist_2013_x64.exe, 0000000B.00000003.4776674509.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, vcredist_2013_x64.exe, 0000000B.00000003.4779903913.0000000000BD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT `WixDependency`.`WixDependency`, `WixDependencyProvider`.`Component_`, `WixDependency`.`ProviderKey`, `WixDependency`.`MinVersion`, `WixDependency`.`MaxVersion`, `WixDependency`.`Attributes` FROM `WixDependencyProvider`, `WixDependency`, `WixDependencyRef` WHERE `WixDependency`.`WixDependency` = `WixDependencyRef`.`WixDependency_` AND `WixDependencyProvider`.`WixDependencyProvider` = `WixDependencyRef`.`WixDependencyProvider_`SELECT `WixDependencyProvider`.`WixDependencyProvider`, `WixDependencyProvider`.`Component_`, `WixDependencyProvider`.`ProviderKey`, `WixDependencyProvider`.`Attributes` FROM `WixDependencyProvider`Failed to ignored dependency "%ls" to the string dictionary.;Failed to create the string dictionary.Failed to get the string value of the IGNOREDEPENDENCIES property.IGNOREDEPENDENCIESUnknownFailed to set the dependency name "%ls" into the message record.Failed to set the dependency key "%ls" into the message record.The dependency "%ls" is missing or is not the required version.Found dependent "%ls", name: "%ls".Failed to set the number of dependencies into the message record.Failed to set the message identifier into the message record.Not enough memory to create the message record.wixdepca.cppUnexpected message response %d from user or bootstrapper application.Failed to create the dependency record for message %d.Failed to enumerate all of the rows in the dependency query view.Failed to get WixDependency.Attributes.Failed to get WixDependency.MaxVersion.Failed to get WixDependency.MinVersion.Failed to get WixDependency.ProviderKey.Failed to get WixDependencyProvider.Component_.Failed to get WixDependency.WixDependency.Failed dependency check for %ls.Skipping dependency check for %ls because the component %ls is not being (re)installed.Failed to open the query view for dependencies.Failed to initialize the unique dependency string list.Failed to check if the WixDependency table exists.Skipping the dependency check since no dependencies are authored.WixDependencyFailed to enumerate all of the rows in the dependency provider query view.Failed to get WixDependencyProvider.Attributes.Failed to get WixDependencyProvider.ProviderKey.Failed to get WixDependencyProvider.Component.Failed to get WixDependencyProvider.WixDependencyProvider.Failed dependents check for %ls.Skipping dependents check for %ls because the component %ls is not being uninstalled.Failed to open the query view for dependency providers.Failed to check if the WixDependencyProvider table exists.Skipping the dependents check since no dependency providers are authored.WixDependencyProviderSkipping the dependencies check since IGNOREDEPENDENCIES contains "ALL".Failed to check if "ALL" was set in IGNOREDEPENDENCIES.ALLFailed to get the ignored dependents.Failed to ensure required dependencies for (re)installing components.ALLUSERSFailed to initialize the registry functions.Failed to initialize.WixDependencyRequireFailed to ensure absent dependents for uninstalling com
Source: vcredist_2013_x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: vcredist_x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: VC_redist.x64.exeString found in binary or memory: Failed to re-launch bundle process after RunOnce: %ls
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe"
Source: unknownProcess created: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe "C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe"
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp "C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp" /SL5="$B01CE,353634964,780800,C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe"
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{52F10DF7-B7C8-4B5E-AFC8-2BA7C00A35CC} {589A9A7F-E5FB-4992-ADCC-7C833A7A6873} 1628
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" /install /quiet /norestart
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeProcess created: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=684 /install /quiet /norestart
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeProcess created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe "C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{60D065C7-249B-4C30-AB63-A887FF5234A5} {42CC66AD-E068-43D3-BEEF-9923C01C6D50} 1168
Source: unknownProcess created: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe "C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeProcess created: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe "C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe"
Source: unknownProcess created: C:\Windows\System32\SrTasks.exe C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
Source: C:\Windows\System32\SrTasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{935F69E9-7A94-4F90-8C25-27F6F541247F} {146765A4-B826-46FA-82C4-51D72A57D3AB} 5532
Source: unknownProcess created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" /burn.runonce
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe"
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=560
Source: unknownProcess created: C:\Windows\System32\LogonUI.exe "LogonUI.exe" /flags:0x4 /state0:0xa3f5d855 /state1:0x41c64e6d
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" Jump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp "C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp" /SL5="$B01CE,353634964,780800,C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" /install /quiet /norestartJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe "C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{52F10DF7-B7C8-4B5E-AFC8-2BA7C00A35CC} {589A9A7F-E5FB-4992-ADCC-7C833A7A6873} 1628Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeProcess created: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=684 /install /quiet /norestart
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeProcess created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe "C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{60D065C7-249B-4C30-AB63-A887FF5234A5} {42CC66AD-E068-43D3-BEEF-9923C01C6D50} 1168
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeProcess created: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe "C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe"
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{935F69E9-7A94-4F90-8C25-27F6F541247F} {146765A4-B826-46FA-82C4-51D72A57D3AB} 5532
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe"
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=560
Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\wget.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: sfc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: sfc_os.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: srclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: spp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: usoapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: sxproxy.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msisip.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: cryptnet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: feclient.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dllJump to behavior
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: feclient.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeSection loaded: apphelp.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: version.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: feclient.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: iertutil.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: uxtheme.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: textinputframework.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: ntmarta.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: msimg32.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: windowscodecs.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: explorerframe.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: riched20.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: usp10.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: msls31.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: textshaping.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: propsys.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: edputil.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: urlmon.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: srvcli.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: netutils.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: sspicli.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: appresolver.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: bcp47langs.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: slc.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: userenv.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: sppc.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeSection loaded: apphelp.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: version.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: uxtheme.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: textinputframework.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: ntmarta.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: srclient.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: spp.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: powrprof.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: vssapi.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: vsstrace.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: umpdc.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: usoapi.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: sxproxy.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: cryptsp.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: rsaenh.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: feclient.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: iertutil.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: srpapi.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: tsappcmp.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: netapi32.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: wkscli.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: netutils.dll
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: wininet.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: msasn1.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: riched20.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: usp10.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: msls31.dll
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: spp.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srclient.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: srcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ktmw32.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vssapi.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: wer.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: bcd.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vsstrace.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: dsrole.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: msxml3.dll
Source: C:\Windows\System32\SrTasks.exeSection loaded: vss_ps.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msimg32.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: riched20.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: usp10.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msls31.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: textshaping.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: propsys.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: edputil.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: urlmon.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: srvcli.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: netutils.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: windows.staterepositoryps.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: sspicli.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: appresolver.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: bcp47langs.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: slc.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: userenv.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: sppc.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: onecorecommonproxystub.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: srclient.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: spp.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: powrprof.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: vssapi.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: vsstrace.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: umpdc.dll
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeSection loaded: usoapi.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: apphelp.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: kernel.appcore.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: cryptbase.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msi.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: version.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: cabinet.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msxml3.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: windows.storage.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: wldp.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: profapi.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: feclient.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: iertutil.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: uxtheme.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: textinputframework.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: coreuicomponents.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: ntmarta.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: coremessaging.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: wintypes.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msimg32.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: windowscodecs.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: explorerframe.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: riched20.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: usp10.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: msls31.dll
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: logoncontroller.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxgi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: userenv.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: powrprof.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: slc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: sppc.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwmapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wtsapi32.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: winsta.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.logon.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wincorlib.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dcomp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xamlhost.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windowmanagementapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: textinputframework.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: inputhost.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coreuicomponents.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: propsys.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: coremessaging.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: languageoverlayutil.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.xaml.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: profapi.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: urlmon.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: srvcli.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: netutils.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d11.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dwrite.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: d3d10warp.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: windows.globalization.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: dxcore.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: d2d1.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: textshaping.dll
Source: C:\Windows\System32\LogonUI.exeSection loaded: directmanipulation.dll
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32Jump to behavior
Source: CloudCompare.lnk.10.drLNK file: ..\..\..\..\..\..\Program Files\CloudCompare\CloudCompare.exe
Source: CloudCompare.lnk0.10.drLNK file: ..\..\..\Program Files\CloudCompare\CloudCompare.exe
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpWindow found: window name: TMainFormJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpAutomated click: Next
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeWindow detected: Number of UI elements: 19
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeWindow detected: Number of UI elements: 23
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeWindow detected: Number of UI elements: 19
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeWindow detected: Number of UI elements: 23
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeWindow detected: Number of UI elements: 23
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompareJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\unins000.datJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-3I2RF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-H56RN.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6IHF9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-LJVC9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-SO95H.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-SFND1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-1VP0Q.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-CCDAV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-I8O1V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-MKFA9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-Q2JU3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-DT4KF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-V004I.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6DPM8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-APHKU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-V4ADI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-HHJ51.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-QD77L.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-GATN0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6BGF0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-VU1V5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-99499.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-V9DQ4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-HTR5G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F1QIM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-L7EPR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-B9FNV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-7J7HR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-5D63B.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-7LCC4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-7NNEC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-M0H8O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-8L6OS.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-2S06S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-M0CV0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-9SOIV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-DDLV2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F214P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-SNQFL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-GB8D9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-8S25L.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-GAFKM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-BJQA3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NQS8E.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-RJD0C.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-R0BP9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-N64S1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-9A695.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-L996V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-3VB9A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-07UN8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-R0L87.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-OJOL7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-I9FFI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-266HF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-6CQIB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F0AAS.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-VPRAO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-BV34F.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-ING89.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-3JOBL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-U49DL.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-F0HDV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-DRUUQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-535VA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-TI1V0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NNIFO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-KL3UM.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-LLTHK.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-RBGPI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-B0PFH.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-KFN4K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-P0EIB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-4URC3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-C9PN3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NHH1D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-N8BL5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-5JMP9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-NJKK5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\is-L5GPO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\gamepadsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\gamepads\is-L18HT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\iconenginesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\iconengines\is-RRTNV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformatsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-367OG.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-7T26D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-7IO49.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-SH6IR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-44QPR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-IM3K5.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-KNAC1.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-GFP8L.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\imageformats\is-PJDHV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\platformsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\platforms\is-6MC3O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\pluginsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-M4ACU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-2U5C6.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-9T5UJ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-3BH9T.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-VASEO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-THO45.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-5BU1G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-I0DFD.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-E1RT6.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-O0IBB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-A0I0D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-6N5GV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-K8P80.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-8FUGF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-BSE53.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-NOEVB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-JJO2V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-AG6MA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-DBST9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-57LVB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-9GD5R.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-PLAJK.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-R1KQO.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-IC39K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-JJSCB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-5SLJ3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-6J6J7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-PV2B0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-S1MM7.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-EFKJI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-46B0F.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-FF747.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-4RO78.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-PJC7N.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-LVH07.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-68KA0.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-IB676.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-5LEMA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-P1BK8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-0I154.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-RID1O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\plugins\is-Q5HQ4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shadersJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\BilateralJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\Bilateral\is-FD029.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\Bilateral\is-FEVIA.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\ColorRampJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\ColorRamp\is-GNU6M.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormalsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormals\is-5C51S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormals\is-AJJK2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\DrawNormals\is-LN22A.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-EQE9P.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-SE7GB.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-28PND.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\EDL\is-6I1PT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\SSAOJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\SSAO\is-VTJ2O.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\shaders\SSAO\is-RDTS8.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\stylesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\styles\is-A61TV.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translationsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-294HR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-G01DC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-AO8GC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-3F5TJ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-PT2MR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-5AB9D.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-NFPBE.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-C7NFU.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-BHD9M.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-K6TQI.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-K4A07.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-P9EIR.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-GSJV3.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-DIV8J.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-V7HLF.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-DBN7V.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-1DAVQ.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-FOCV9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-LER5S.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-9BVL4.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-HKH8K.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-90PEC.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-SHR09.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-P7642.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-14MA9.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-3HA9J.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-SM57C.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-8K72G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-GM09G.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-PVM8M.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-5O3HT.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-JFB27.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\translations\is-1VHV2.tmpJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDirectory created: C:\Program Files\CloudCompare\unins000.msgJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4DE0A2C8-03F9-4B3F-BAFC-1D5F2141464B}_is1Jump to behavior
Source: Binary string: MFCM120U.amd64.pdb source: mfcm120u.dll.19.dr
Source: Binary string: C:\agent\_work\8\s\build\ship\x86\burn.pdb source: VC_redist.x64.exe, 0000001C.00000002.5076405329.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001D.00000002.5069899828.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001E.00000002.5066811757.00000000003BB000.00000002.00000001.01000000.00000014.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrent.pdb source: is-NQS8E.tmp.10.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb source: VC_redist.x64.exe, 00000014.00000000.4828099835.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000015.00000002.5083123529.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000015.00000000.4831471787.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000016.00000002.5080951014.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 00000016.00000003.4979220133.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000016.00000000.4844312637.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 0000001F.00000000.5094031159.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 0000001F.00000002.5102159004.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000002.5472779495.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000000.5095675088.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000000.5098146674.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000002.5473438320.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdbH source: vcredist_x64.exe, 00000019.00000002.5481621682.000000006BA05000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb source: vcredist_2013_x64.exe, 0000000B.00000000.4634022863.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000002.4824554047.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000000.4635349255.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_x64.exe, 00000018.00000000.4906891056.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000018.00000002.4941939991.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000000.4937116937.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000002.5472722655.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe.13.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixDepCA.pdb source: vcredist_2013_x64.exe, 0000000B.00000003.4776674509.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp, vcredist_2013_x64.exe, 0000000B.00000003.4779903913.0000000000BD1000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtbase\lib\Qt5Concurrent.pdb source: is-NQS8E.tmp.10.dr
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb`E source: vcredist_x64.exe.13.dr
Source: Binary string: MFCM120U.amd64.pdb8@ source: mfcm120u.dll.19.dr
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\WixStdBA.pdb source: VC_redist.x64.exe, 00000021.00000002.5481724457.000000006C213000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: C:\agent\_work\36\s\wix\build\ship\x86\burn.pdb4 source: VC_redist.x64.exe, 00000014.00000000.4828099835.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000015.00000002.5083123529.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000015.00000000.4831471787.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000016.00000002.5080951014.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 00000016.00000003.4979220133.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000016.00000000.4844312637.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 0000001F.00000000.5094031159.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 0000001F.00000002.5102159004.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000002.5472779495.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000000.5095675088.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000000.5098146674.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000002.5473438320.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\WixStdBA.pdb source: vcredist_x64.exe, 00000019.00000002.5481621682.000000006BA05000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: E:\delivery\Dev\wix37\build\ship\x86\burn.pdb` source: vcredist_2013_x64.exe, 0000000B.00000000.4634022863.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000002.4824554047.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_2013_x64.exe, 0000000D.00000000.4635349255.000000000102B000.00000002.00000001.01000000.00000008.sdmp, vcredist_x64.exe, 00000018.00000000.4906891056.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000018.00000002.4941939991.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000000.4937116937.000000000086B000.00000002.00000001.01000000.00000012.sdmp, vcredist_x64.exe, 00000019.00000002.5472722655.000000000086B000.00000002.00000001.01000000.00000012.sdmp
Source: Binary string: C:\Users\qt\work\qt\qtimageformats\plugins\imageformats\qicns.pdb source: is-7T26D.tmp.10.dr
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101C2AB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_0101C2AB
Source: CloudCompare_v2.14.alpha_setup_x64.exe.2.drStatic PE information: section name: .didata
Source: CloudCompare_v2.14.alpha_setup_x64.tmp.8.drStatic PE information: section name: .didata
Source: is-SG37E.tmp.10.drStatic PE information: section name: .wixburn
Source: is-60BAL.tmp.10.drStatic PE information: section name: .wixburn
Source: is-L18HT.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-RRTNV.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-367OG.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-7T26D.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-7IO49.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-SH6IR.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-44QPR.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-IM3K5.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-KNAC1.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-GFP8L.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-PJDHV.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-6MC3O.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-M4ACU.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-2U5C6.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-9T5UJ.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-3BH9T.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-VASEO.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-THO45.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-5BU1G.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-I0DFD.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-E1RT6.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-O0IBB.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-A0I0D.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-6N5GV.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-6N5GV.tmp.10.drStatic PE information: section name: _RDATA
Source: is-K8P80.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-8FUGF.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-BSE53.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-NOEVB.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-NOEVB.tmp.10.drStatic PE information: section name: _RDATA
Source: is-3I2RF.tmp.10.drStatic PE information: section name: .didata
Source: is-6IHF9.tmp.10.drStatic PE information: section name: .rodata
Source: is-6IHF9.tmp.10.drStatic PE information: section name: .xdata
Source: is-LJVC9.tmp.10.drStatic PE information: section name: .xdata
Source: is-SO95H.tmp.10.drStatic PE information: section name: .xdata
Source: is-JJO2V.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-AG6MA.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-DBST9.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-57LVB.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-9GD5R.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-PLAJK.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-R1KQO.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-IC39K.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-JJSCB.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-5SLJ3.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-V4ADI.tmp.10.drStatic PE information: section name: _RDATA
Source: is-6J6J7.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-PV2B0.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-S1MM7.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-EFKJI.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-46B0F.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-FF747.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-4RO78.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-PJC7N.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-LVH07.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-68KA0.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /4
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /19
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /35
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /47
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /61
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /73
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /86
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /97
Source: is-L7EPR.tmp.10.drStatic PE information: section name: /108
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /4
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /19
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /35
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /47
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /61
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /73
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /86
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /97
Source: is-B9FNV.tmp.10.drStatic PE information: section name: /108
Source: is-IB676.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-5LEMA.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-P1BK8.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-0I154.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-RID1O.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-Q5HQ4.tmp.10.drStatic PE information: section name: .qtmetad
Source: is-M0H8O.tmp.10.drStatic PE information: section name: .didat
Source: is-9SOIV.tmp.10.drStatic PE information: section name: IPPCODE
Source: is-9SOIV.tmp.10.drStatic PE information: section name: IPPDATA
Source: is-9SOIV.tmp.10.drStatic PE information: section name: _RDATA
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101A225 push ecx; ret 11_2_0101A238
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00070BC6 push ecx; ret 20_2_00070BD9
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0008CD63 push ecx; ret 20_2_0008CD76
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F70BC6 push ecx; ret 21_2_00F70BD9
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F8CD63 push ecx; ret 21_2_00F8CD76
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E30BC6 push ecx; ret 22_2_00E30BD9
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E4CD63 push ecx; ret 22_2_00E4CD76
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_0085A225 push ecx; ret 24_2_0085A238
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 25_2_6B9FC354 pushad ; ret 25_2_6B9FC355
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 25_2_6B9FEE85 push ecx; ret 25_2_6B9FEE98
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0039E876 push ecx; ret 28_2_0039E889

Persistence and Installation Behavior

barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140jpn.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140ita.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140deu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140chs.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140enu.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc120u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\concrt140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140fra.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vccorlib140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_atomic_wait.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcomp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140cht.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140rus.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfcm120u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140kor.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_2.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140u.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_codecvt_ids.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcr120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcamp140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vcruntime140.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\vccorlib120.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\msvcp140_1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSystem file written: C:\Windows\System32\mfc120.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-B9FNV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\iconv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKShHealing.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-KNAC1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\libgmp-10.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\netcdf.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QPHOTOSCAN_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-5D63B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qtga.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\python310.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QEDL_GL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QRDB_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-0I154.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-RBGPI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-DT4KF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QSRA_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-TI1V0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\libpq.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\concrt140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5Svg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-V4ADI.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCOMPASS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qwebp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QHPR_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vccorlib140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-9T5UJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-7J7HR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-2S06S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-6BGF0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-57LVB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcomp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-CCDAV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\proj.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QJSON_RPC_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QPCL_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-NHH1D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-F214P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\platforms\is-6MC3O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-IB676.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-99499.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-3I2RF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qicns.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-68KA0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5Core.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\gdal202.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\libcurl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QM3C2_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeFile created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile created: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKG2d.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\swscale-7.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-HHJ51.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b110.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKG3d.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-8FUGF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\msvcp140.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5Concurrent.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120rus.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\ssleay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-ING89.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\swresample-4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qsvg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QPOISSON_RECON_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-BJQA3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-VPRAO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\geos_c.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-GAFKM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.be\vcredist_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QPCV_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\CC_FBO_LIB.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5Gui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-367OG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QDRACO_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\CCAppCommon.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-M0H8O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qgif.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-4RO78.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCORK_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vccorlib120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\CCCoreLib.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QTREEISO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120enu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-NOEVB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\CloudCompare.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKSTEP209.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QMANUAL_SEG_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-S1MM7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-GB8D9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-SFND1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-3BH9T.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-NQS8E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\DotProduct_x64.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5WebSockets.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKGeomAlgo.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QAUTO_SEG_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-P0EIB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140deu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-3JOBL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-7T26D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\iconengines\is-RRTNV.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-VU1V5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QELLIPSER_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-6N5GV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKMath.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-SO95H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCORE_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\zlib1.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-5BU1G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-L5GPO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-M0CV0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QRANSAC_SD_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKSTEPBase.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b10e.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeFile created: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-44QPR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-SH6IR.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b0fb.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-9A695.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\xerces-c_3_1.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QDOT_PRODUCT_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-E1RT6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b11f.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-N64S1.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b111.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-IM3K5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-APHKU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-535VA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-C9PN3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-DDLV2.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b120.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QRIEGL_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-THO45.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-LLTHK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\QCC_IO_LIB.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\tbbmalloc.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-P1BK8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-9SOIV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-NNIFO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-Q2JU3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b113.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-IC39K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-N8BL5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\vcruntime140.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\styles\is-A61TV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKTopAlgo.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\libxml2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QE57_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-6J6J7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-RID1O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b126.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-DRUUQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-QD77L.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b115.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\expat.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\QCC_DB_LIB.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcamp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-1VP0Q.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\libeay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\libmysql.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5Gamepad.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-266HF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-I8O1V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\avcodec-60.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-VASEO.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b104.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\platforms\qwindows.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\msvcp140_2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\opencv_world340.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-8S25L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-GFP8L.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b124.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QHOUGH_NORMALS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKernel.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\is-SG37E.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-I9FFI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-PV2B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b10d.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-PJDHV.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140enu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-4URC3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-BV34F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b11d.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-RJD0C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-B0PFH.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b112.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b122.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\gamepads\xinputgamepad.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b0fc.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-NJKK5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\avformat-60.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QBROOM_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-OJOL7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b102.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-M4ACU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKSTEPAttr.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCANUPO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-FF747.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-AG6MA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\is-7IO49.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QANIMATION_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b129.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-HTR5G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-9GD5R.tmpJump to dropped file
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\rdblib.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_atomic_wait.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b128.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140rus.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qjpeg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-K8P80.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QMPLANE_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-R1KQO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\MeshIO.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm120u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-6DPM8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCSF_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\python3.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b0fd.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\spatialite.dll (copy)Jump to dropped file
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\wixstdba.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\wixstdba.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-PLAJK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-R0BP9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-U49DL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-O0IBB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-JJSCB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-JJO2V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKSTEP.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QLAS_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_codecvt_ids.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-I0DFD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QPCL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcr120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\laszip3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\geos.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\CCPluginAPI.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-V004I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qtiff.dll (copy)Jump to dropped file
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\wixstdba.dllJump to dropped file
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeFile created: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\libmpfr-4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5Widgets.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKMesh.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-3VB9A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-5SLJ3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\QCC_GL_LIB.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-L7EPR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-DBST9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QMESH_BOOLEAN_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-PJC7N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\openjp2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-LVH07.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-2U5C6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\iconengines\qsvgicon.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b127.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\sqlite3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\styles\qwindowsvistastyle.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcamp120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-6CQIB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\Q3DMASC_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-F0HDV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QFACETS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCOLORIMETRIC_SEGMENTER_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\tbb.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-V9DQ4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-SNQFL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCLOUDLAYERS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-8L6OS.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-07UN8.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b11e.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-KFN4K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKBRep.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b121.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QFBX_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5OpenGL.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-5JMP9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QSSAO_GL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b10f.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-6IHF9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-EFKJI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-7LCC4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\freexl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\szip.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\gamepads\is-L18HT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\Qt5Network.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QSTEP_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QCSV_MATRIX_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcomp120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\concrt140.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QADDITIONAL_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qwbmp.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKXSBase.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\QVOXFALL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b11c.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-Q5HQ4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcruntime140_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b123.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-L996V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-F1QIM.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b116.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b103.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\TKGeomBase.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-LJVC9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-BSE53.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\hdf5.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b10b.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-H56RN.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b105.rbf (copy)Jump to dropped file
Source: C:\Windows\SysWOW64\wget.exeFile created: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-KL3UM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\msvcp140_1.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b125.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\is-60BAL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-46B0F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: 61b114.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120jpn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-A0I0D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\plugins\is-5LEMA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\hdf5_hl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\imageformats\qico.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\is-R0L87.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\Program Files\CloudCompare\avutil-58.dll (copy)Jump to dropped file
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeFile created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile created: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140ita.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm140u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcamp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\concrt140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140fra.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120chs.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vccorlib140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeFile created: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120fra.dllJump to dropped file
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcomp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_atomic_wait.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfcm120u.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcomp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120kor.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140u.dllJump to dropped file
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\wixstdba.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcruntime140_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120rus.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_codecvt_ids.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcr120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcamp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\vccorlib120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120enu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120jpn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\msvcp140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\System32\mfc120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtfJump to behavior
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1028\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1029\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1031\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1036\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1040\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1041\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1042\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1045\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1046\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1049\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1055\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\2052\license.rtf
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeFile created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeFile created: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeFile created: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\3082\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1028\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1029\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1031\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1036\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1040\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1041\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1042\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1045\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1046\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1049\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1055\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\2052\license.rtf
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeFile created: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\3082\license.rtf
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestoreJump to behavior
Source: C:\Windows\System32\SrTasks.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloudCompareJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloudCompare\CloudCompare.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {042d26ef-3dbe-4c25-95d3-4c1b11b235a7}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {042d26ef-3dbe-4c25-95d3-4c1b11b235a7}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {042d26ef-3dbe-4c25-95d3-4c1b11b235a7}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {042d26ef-3dbe-4c25-95d3-4c1b11b235a7}Jump to behavior
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {804e7d66-ccc2-4c12-84ba-476da31d103d}
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {804e7d66-ccc2-4c12-84ba-476da31d103d}
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {804e7d66-ccc2-4c12-84ba-476da31d103d}
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce {804e7d66-ccc2-4c12-84ba-476da31d103d}
Source: C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\LogonUI.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-B9FNV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\iconv.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKShHealing.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\netcdf.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\libgmp-10.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-KNAC1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QPHOTOSCAN_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-5D63B.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qtga.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QEDL_GL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\python310.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QRDB_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-0I154.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-RBGPI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-DT4KF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QSRA_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-TI1V0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\libpq.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\concrt140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5Svg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-V4ADI.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCOMPASS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qwebp.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QHPR_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vccorlib140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcruntime140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-9T5UJ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-7J7HR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-2S06S.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-57LVB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-6BGF0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120cht.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcomp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-CCDAV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\proj.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QPCL_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QJSON_RPC_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-NHH1D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-F214P.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\platforms\is-6MC3O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-IB676.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-99499.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qicns.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-68KA0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5Core.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120esn.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\gdal202.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QM3C2_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\libcurl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKG2d.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\swscale-7.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcp140_2.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b110.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-HHJ51.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKG3d.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-8FUGF.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\msvcp140.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5Concurrent.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120rus.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\ssleay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qsvg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-ING89.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\swresample-4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QPOISSON_RECON_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-BJQA3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-VPRAO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\geos_c.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-GAFKM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QPCV_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\CC_FBO_LIB.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5Gui.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-367OG.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QDRACO_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\CCAppCommon.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-M0H8O.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qgif.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCORK_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-4RO78.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vccorlib120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120enu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QTREEISO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\CCCoreLib.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-NOEVB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\CloudCompare.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QMANUAL_SEG_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKSTEP209.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-GB8D9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-S1MM7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-SFND1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-3BH9T.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKGeomAlgo.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5WebSockets.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\DotProduct_x64.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QAUTO_SEG_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140jpn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-NQS8E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140esn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-P0EIB.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140deu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-3JOBL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\wixstdba.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfcm140u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-7T26D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\iconengines\is-RRTNV.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfcm120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-VU1V5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QELLIPSER_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-6N5GV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKMath.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-SO95H.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCORE_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\zlib1.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-5BU1G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-L5GPO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-M0CV0.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QRANSAC_SD_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKSTEPBase.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b10e.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-44QPR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-SH6IR.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b0fb.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\xerces-c_3_1.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-9A695.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QDOT_PRODUCT_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-E1RT6.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b11f.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b111.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-N64S1.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-IM3K5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-APHKU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-535VA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-C9PN3.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b120.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-DDLV2.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QRIEGL_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-THO45.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-LLTHK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\QCC_IO_LIB.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\tbbmalloc.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-NNIFO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-P1BK8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-9SOIV.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b113.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-Q2JU3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-IC39K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-N8BL5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\vcruntime140.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\styles\is-A61TV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKTopAlgo.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\libxml2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QE57_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-6J6J7.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-RID1O.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b126.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-DRUUQ.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-QD77L.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b115.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\QCC_DB_LIB.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\expat.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcamp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-1VP0Q.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcruntime140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5Gamepad.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\libmysql.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\libeay32.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-266HF.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-I8O1V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\avcodec-60.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-VASEO.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b104.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\platforms\qwindows.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcp140_1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\opencv_world340.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\msvcp140_2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-8S25L.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-GFP8L.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b124.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QHOUGH_NORMALS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120deu.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140ita.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKernel.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-I9FFI.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-PV2B0.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b10d.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-PJDHV.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140enu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-4URC3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-BV34F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b11d.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-RJD0C.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-B0PFH.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b112.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b122.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\gamepads\xinputgamepad.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b0fc.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\avformat-60.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-NJKK5.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QBROOM_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-OJOL7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b102.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-M4ACU.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCANUPO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKSTEPAttr.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-FF747.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\is-7IO49.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-AG6MA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QANIMATION_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b129.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-HTR5G.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-9GD5R.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcp140_atomic_wait.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\rdblib.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b128.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140rus.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qjpeg.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-K8P80.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QMPLANE_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfcm120u.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-R1KQO.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\MeshIO.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-6DPM8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCSF_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\python3.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b0fd.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcp140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\spatialite.dll (copy)Jump to dropped file
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeDropped PE file which has not been started: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\wixstdba.dllJump to dropped file
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeDropped PE file which has not been started: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\wixstdba.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-PLAJK.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-U49DL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-R0BP9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-O0IBB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-JJSCB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-JJO2V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKSTEP.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcp140_codecvt_ids.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QLAS_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-I0DFD.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QPCL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcr120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\laszip3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\geos.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\CCPluginAPI.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-V004I.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qtiff.dll (copy)Jump to dropped file
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\wixstdba.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\libmpfr-4.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5Widgets.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKMesh.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-3VB9A.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-5SLJ3.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\QCC_GL_LIB.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-L7EPR.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-DBST9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QMESH_BOOLEAN_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-PJC7N.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\openjp2.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-LVH07.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-2U5C6.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\iconengines\qsvgicon.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b127.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\sqlite3.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\styles\qwindowsvistastyle.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcamp120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-6CQIB.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\Q3DMASC_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QFACETS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-F0HDV.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCOLORIMETRIC_SEGMENTER_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\tbb.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120chs.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-V9DQ4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-SNQFL.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCLOUDLAYERS_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-8L6OS.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b11e.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-07UN8.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-KFN4K.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKBRep.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b121.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120fra.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QFBX_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5OpenGL.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-5JMP9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QSSAO_GL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b10f.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140cht.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-6IHF9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-EFKJI.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfcm140.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-7LCC4.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\szip.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\freexl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\Qt5Network.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\gamepads\is-L18HT.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QSTEP_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QCSV_MATRIX_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcomp120.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QADDITIONAL_IO_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\concrt140.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qwbmp.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120kor.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\QVOXFALL_PLUGIN.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKXSBase.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b11c.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\vcruntime140_threads.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-Q5HQ4.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b123.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-L996V.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-F1QIM.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b116.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b103.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\TKGeomBase.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-LJVC9.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-BSE53.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\hdf5.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b10b.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-H56RN.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b105.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-KL3UM.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\msvcp140_1.dll (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\msvcp120.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b125.rbf (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-46B0F.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 61b114.rbf (copy)Jump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\System32\mfc120jpn.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-A0I0D.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\plugins\is-5LEMA.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\hdf5_hl.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\imageformats\qico.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\is-R0L87.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpDropped PE file which has not been started: C:\Program Files\CloudCompare\avutil-58.dll (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeEvaded block: after key decisiongraph_11-28996
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeEvaded block: after key decisiongraph_11-29708
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeEvaded block: after key decisiongraph_11-30402
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeEvaded block: after key decisiongraph_11-29877
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeEvaded block: after key decision
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeEvaded block: after key decision
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeEvaded block: after key decision
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeEvaded block: after key decision
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeEvasive API call chain: GetLocalTime,DecisionNodes
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_11-30140
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeAPI coverage: 9.9 %
Source: C:\Windows\System32\SrTasks.exe TID: 604Thread sleep time: -290000s >= -30000sJump to behavior
Source: C:\Windows\System32\SrTasks.exe TID: 880Thread sleep time: -290000s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101F835 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0101F8D6h11_2_0101F835
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101F835 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0101F8CFh11_2_0101F835
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0008506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00085108h20_2_0008506D
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0008506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00085101h20_2_0008506D
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F8506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00F85108h21_2_00F8506D
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F8506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00F85101h21_2_00F8506D
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E4506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 00E45108h22_2_00E4506D
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E4506D GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 00E45101h22_2_00E4506D
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_0085F835 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 0085F8D6h24_2_0085F835
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_0085F835 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 0085F8CFh24_2_0085F835
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003AFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 05h and CTI: je 003AFE5Dh28_2_003AFDC2
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003AFDC2 GetLocalTime followed by cmp: cmp dword ptr [ebp+08h], 01h and CTI: je 003AFE56h28_2_003AFDC2
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile Volume queried: C:\Windows FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01009065 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,11_2_01009065
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01025D1F _memset,FindFirstFileW,FindClose,11_2_01025D1F
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01026CB2 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,11_2_01026CB2
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00041700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,20_2_00041700
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00043B2C FindFirstFileW,FindClose,20_2_00043B2C
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007C2AF FindFirstFileExW,FindNextFileW,FindClose,FindClose,20_2_0007C2AF
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0005B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,20_2_0005B79F
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F5B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,21_2_00F5B79F
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F41700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,21_2_00F41700
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F43B2C FindFirstFileW,FindClose,21_2_00F43B2C
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7C2AF FindFirstFileExW,FindNextFileW,FindClose,FindClose,21_2_00F7C2AF
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E1B79F FindFirstFileW,lstrlenW,FindNextFileW,FindClose,22_2_00E1B79F
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E01700 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,FindClose,22_2_00E01700
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E03B2C FindFirstFileW,FindClose,22_2_00E03B2C
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3C2AF FindFirstFileExW,FindNextFileW,FindClose,FindClose,22_2_00E3C2AF
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00866CB2 _memset,_memset,GetFileAttributesW,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,GetLastError,GetLastError,GetLastError,FindClose,24_2_00866CB2
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00849065 _memset,FindFirstFileW,lstrlenW,FindNextFileW,FindClose,24_2_00849065
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_00865D1F _memset,FindFirstFileW,FindClose,24_2_00865D1F
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 25_2_6B9FA685 _memset,FindFirstFileW,FindClose,25_2_6B9FA685
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_00373BC3 GetFileAttributesW,GetLastError,GetLastError,SetFileAttributesW,GetLastError,GetTempPathW,GetLastError,FindFirstFileW,GetLastError,SetFileAttributesW,DeleteFileW,GetTempFileNameW,MoveFileExW,MoveFileExW,MoveFileExW,FindNextFileW,GetLastError,GetLastError,GetLastError,GetLastError,RemoveDirectoryW,GetLastError,MoveFileExW,GetLastError,FindClose,28_2_00373BC3
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003B4315 FindFirstFileW,FindClose,28_2_003B4315
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0038993E FindFirstFileW,lstrlenW,FindNextFileW,FindClose,28_2_0038993E
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0006FC6A VirtualQuery,GetSystemInfo,20_2_0006FC6A
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packagesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\vcRuntimeAdditional_amd64Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\NULLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeFile opened: C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\packages\NULLJump to behavior
Source: SrTasks.exe, 0000001A.00000003.4988688559.00000198D286D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: SrTasks.exe, 00000011.00000003.4841331780.000001CFC030D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WORKGROUPar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88
Source: CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000003.5130977431.000000000098E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`
Source: SrTasks.exe, 0000001A.00000002.5125705672.00000198D2892000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:!!=>
Source: VC_redist.x64.exe, 00000015.00000003.5082404871.000000000150C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SrTasks.exe, 0000001A.00000003.5052067886.00000198D286F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:88=>
Source: SrTasks.exe, 00000011.00000003.4869053364.000001CFC0317000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:uu
Source: SrTasks.exe, 00000011.00000003.4997801783.000001CFC0317000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:11
Source: SrTasks.exe, 0000001A.00000003.5052067886.00000198D286F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c
Source: wget.exe, 00000002.00000002.4218291013.0000000000CE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeAPI call chain: ExitProcess graph end nodegraph_11-30831
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeAPI call chain: ExitProcess graph end node
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeAPI call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101854A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0101854A
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101C2AB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_0101C2AB
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_000798C7 mov ecx, dword ptr fs:[00000030h]20_2_000798C7
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_0007CFDC mov eax, dword ptr fs:[00000030h]20_2_0007CFDC
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F798C7 mov ecx, dword ptr fs:[00000030h]21_2_00F798C7
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F7CFDC mov eax, dword ptr fs:[00000030h]21_2_00F7CFDC
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E398C7 mov ecx, dword ptr fs:[00000030h]22_2_00E398C7
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E3CFDC mov eax, dword ptr fs:[00000030h]22_2_00E3CFDC
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003A4812 mov eax, dword ptr fs:[00000030h]28_2_003A4812
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_010228F3 GetProcessHeap,RtlAllocateHeap,11_2_010228F3
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_010190E2 SetUnhandledExceptionFilter,11_2_010190E2
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101854A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0101854A
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101A74C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_0101A74C
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00070469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,20_2_00070469
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00078567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00078567
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00070934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,20_2_00070934
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00070AC7 SetUnhandledExceptionFilter,20_2_00070AC7
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F70469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,21_2_00F70469
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F78567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00F78567
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F70934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,21_2_00F70934
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeCode function: 21_2_00F70AC7 SetUnhandledExceptionFilter,21_2_00F70AC7
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E30469 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,22_2_00E30469
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E38567 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00E38567
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E30934 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,22_2_00E30934
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeCode function: 22_2_00E30AC7 SetUnhandledExceptionFilter,22_2_00E30AC7
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_008590E2 SetUnhandledExceptionFilter,24_2_008590E2
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_0085854A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,24_2_0085854A
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 24_2_0085A74C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,24_2_0085A74C
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 25_2_6B9FC9C1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,25_2_6B9FC9C1
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeCode function: 25_2_6B9FB88C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,25_2_6B9FB88C
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0039E188 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,28_2_0039E188
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0039E625 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_0039E625
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_0039E773 SetUnhandledExceptionFilter,28_2_0039E773
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeCode function: 28_2_003A3BB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,28_2_003A3BB0
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeProcess created: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe "C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=684 /install /quiet /norestart
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeProcess created: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe "C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{60D065C7-249B-4C30-AB63-A887FF5234A5} {42CC66AD-E068-43D3-BEEF-9923C01C6D50} 1168
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{935F69E9-7A94-4F90-8C25-27F6F541247F} {146765A4-B826-46FA-82C4-51D72A57D3AB} 5532
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=560
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://www.danielgm.net/cc/release/cloudcompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://www.danielgm.net/cc/release/cloudcompare_v2.14.alpha_setup_x64.exe"
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded burnpipe.{d12062c8-32d1-4d95-9427-efb8fb4659af} {9f88753d-df7e-4f79-a3b9-627d7e10415e} 6156
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded burnpipe.{d12062c8-32d1-4d95-9427-efb8fb4659af} {9f88753d-df7e-4f79-a3b9-627d7e10415e} 6156
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "https://www.danielgm.net/cc/release/cloudcompare_v2.14.alpha_setup_x64.exe" Jump to behavior
Source: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded burnpipe.{d12062c8-32d1-4d95-9427-efb8fb4659af} {9f88753d-df7e-4f79-a3b9-627d7e10415e} 6156
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeProcess created: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe "c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe" -burn.clean.room="c:\programdata\package cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\vc_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded burnpipe.{d12062c8-32d1-4d95-9427-efb8fb4659af} {9f88753d-df7e-4f79-a3b9-627d7e10415e} 6156
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01023123 _memset,_memset,_memset,_memset,_memset,_memset,InitializeSecurityDescriptor,GetLastError,CreateWellKnownSid,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,CreateWellKnownSid,GetLastError,SetEntriesInAclA,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,SetSecurityDescriptorDacl,GetLastError,CoInitializeSecurity,LocalFree,11_2_01023123
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_01026B28 AllocateAndInitializeSid,CheckTokenMembership,11_2_01026B28
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exeCode function: 20_2_00070CF7 cpuid 20_2_00070CF7
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmpQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\logo.png VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exeQueries volume information: C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exeQueries volume information: C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\logo.png VolumeInformation
Source: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exeQueries volume information: C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\logo.png VolumeInformation
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Windows\System32\LogonUI.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_00FF35AD ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateNamedPipeW,CreateNamedPipeW,GetLastError,CloseHandle,LocalFree,CreateNamedPipeW,GetLastError,11_2_00FF35AD
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0101F835 EnterCriticalSection,GetCurrentProcessId,GetCurrentThreadId,GetLocalTime,LeaveCriticalSection,11_2_0101F835
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_010201CB LookupAccountNameW,LookupAccountNameW,GetLastError,GetLastError,GetLastError,LookupAccountNameW,GetLastError,11_2_010201CB
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_0102851E GetTimeZoneInformation,SystemTimeToTzSpecificLocalTime,11_2_0102851E
Source: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exeCode function: 11_2_00FF1B46 _memset,_memset,CoInitializeEx,GetModuleHandleW,GetVersionExW,GetLastError,CoUninitialize,11_2_00FF1B46
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire Infrastructure1
Replication Through Removable Media		5
Native API		1
DLL Side-Loading		1
DLL Side-Loading		1
Deobfuscate/Decode Files or Information		OS Credential Dumping12
System Time Discovery		1
Taint Shared Content		1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts13
Command and Scripting Interpreter		22
Windows Service		1
Access Token Manipulation		2
Obfuscated Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Service Execution		11
Registry Run Keys / Startup Folder		22
Windows Service		1
DLL Side-Loading		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook12
Process Injection		1
File Deletion		NTDS3
File and Directory Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
Registry Run Keys / Startup Folder		23
Masquerading		LSA Secrets26
System Information Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Virtualization/Sandbox Evasion		Cached Domain Credentials21
Security Software Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Access Token Manipulation		DCSync1
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
Process Injection		Proc Filesystem1
Process Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow3
System Owner/User Discovery		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1589812 URL: https://www.danielgm.net/cc... Startdate: 13/01/2025 Architecture: WINDOWS Score: 56 101 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->101 103 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->103 12 msiexec.exe 501 201 2->12         started        16 CloudCompare_v2.14.alpha_setup_x64.exe 2 2->16         started        18 cmd.exe 2 2->18         started        20 5 other processes 2->20 process3 file4 81 C:\Windows\System32\vcruntime140_1.dll, PE32+ 12->81 dropped 83 C:\Windows\System32\vcruntime140.dll, PE32+ 12->83 dropped 85 C:\Windows\System32\vcomp140.dll, PE32+ 12->85 dropped 89 74 other files (21 malicious) 12->89 dropped 107 Infects executable files (exe, dll, sys, html) 12->107 87 C:\...\CloudCompare_v2.14.alpha_setup_x64.tmp, PE32 16->87 dropped 22 CloudCompare_v2.14.alpha_setup_x64.tmp 30 214 16->22         started        25 wget.exe 2 18->25         started        29 conhost.exe 18->29         started        31 VC_redist.x64.exe 20->31         started        33 conhost.exe 20->33         started        35 vcredist_x64.exe 20->35         started        37 conhost.exe 20->37         started        signatures5 process6 dnsIp7 63 C:\Users\...\vcredist_2013_x64.exe (copy), PE32 22->63 dropped 65 C:\Users\user\AppData\Local\...\is-SG37E.tmp, PE32 22->65 dropped 67 C:\Users\user\AppData\Local\...\is-60BAL.tmp, PE32 22->67 dropped 71 263 other files (none is malicious) 22->71 dropped 39 VC_redist.x64.exe 22->39         started        42 vcredist_2013_x64.exe 34 18 22->42         started        99 162.241.226.205 UNIFIEDLAYER-AS-1US United States 25->99 69 C:\...\CloudCompare_v2.14.alpha_setup_x64.exe, PE32 25->69 dropped 105 Drops large PE files 25->105 44 VC_redist.x64.exe 31->44         started        file8 signatures9 process10 file11 73 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 39->73 dropped 46 VC_redist.x64.exe 39->46         started        75 C:\ProgramData\...\vcredist_x64.exe, PE32 42->75 dropped 49 vcredist_2013_x64.exe 18 42->49         started        77 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 44->77 dropped process12 file13 91 C:\Windows\Temp\...\VC_redist.x64.exe, PE32 46->91 dropped 93 C:\Windows\Temp\...\wixstdba.dll, PE32 46->93 dropped 51 VC_redist.x64.exe 46->51         started        95 C:\Users\user\AppData\...\vcredist_x64.exe, PE32 49->95 dropped 97 C:\Users\user\AppData\Local\...\wixstdba.dll, PE32 49->97 dropped process14 file15 61 C:\ProgramData\...\VC_redist.x64.exe, PE32 51->61 dropped 54 VC_redist.x64.exe 51->54         started        process16 process17 56 VC_redist.x64.exe 54->56         started        file18 79 C:\Windows\Temp\...\wixstdba.dll, PE32 56->79 dropped 59 VC_redist.x64.exe 56->59         started        process19

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe0%Avira URL Cloudsafe

Dropped Files

SourceDetectionScannerLabelLink
61b0fb.rbf (copy)0%ReversingLabs
61b0fc.rbf (copy)0%ReversingLabs
61b0fd.rbf (copy)0%ReversingLabs
61b102.rbf (copy)0%ReversingLabs
61b103.rbf (copy)0%ReversingLabs
61b104.rbf (copy)0%ReversingLabs
61b105.rbf (copy)0%ReversingLabs
61b10b.rbf (copy)0%ReversingLabs
61b10d.rbf (copy)0%ReversingLabs
61b10e.rbf (copy)0%ReversingLabs
61b10f.rbf (copy)0%ReversingLabs
61b110.rbf (copy)0%ReversingLabs
61b111.rbf (copy)0%ReversingLabs
61b112.rbf (copy)0%ReversingLabs
61b113.rbf (copy)0%ReversingLabs
61b114.rbf (copy)0%ReversingLabs
61b115.rbf (copy)0%ReversingLabs
61b116.rbf (copy)0%ReversingLabs
61b11c.rbf (copy)0%ReversingLabs
61b11d.rbf (copy)0%ReversingLabs
61b11e.rbf (copy)0%ReversingLabs
61b11f.rbf (copy)0%ReversingLabs
61b120.rbf (copy)0%ReversingLabs
61b121.rbf (copy)0%ReversingLabs
61b122.rbf (copy)0%ReversingLabs
61b123.rbf (copy)0%ReversingLabs
61b124.rbf (copy)0%ReversingLabs
61b125.rbf (copy)0%ReversingLabs
61b126.rbf (copy)0%ReversingLabs
61b127.rbf (copy)0%ReversingLabs
61b128.rbf (copy)0%ReversingLabs
61b129.rbf (copy)0%ReversingLabs
C:\Program Files\CloudCompare\CC_FBO_LIB.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\DotProduct_x64.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5Concurrent.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5Core.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5Gamepad.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5Gui.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5Network.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5OpenGL.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5Svg.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5WebSockets.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\Qt5Widgets.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKBRep.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKG2d.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKG3d.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKGeomAlgo.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKGeomBase.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKMath.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKMesh.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKSTEP.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKSTEP209.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKSTEPAttr.dll (copy)0%ReversingLabs
C:\Program Files\CloudCompare\TKSTEPBase.dll (copy)0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.cloudcompare.org/doc/wiki/index.php?title=RANSAC_Shape_Detection_(plugin)0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/2010lureH0%Avira URL Cloudsafe
https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exeOF_P0%Avira URL Cloudsafe
https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe?0%Avira URL Cloudsafe
http://www.cloudcompare.org/8http://www.cloudcompare.org/8http://www.cloudcompare.org/.2.14.alpha0%Avira URL Cloudsafe
http://www.cloudcompare.org/q0%Avira URL Cloudsafe
https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exeamDat00%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/2010(0%Avira URL Cloudsafe
https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe%0%Avira URL Cloudsafe
http://www.cloudcompare.org/doc/wiki/index.php?title=RANSAC_Shape_Detection_(plugin)dtypehStandard0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/2010and0%Avira URL Cloudsafe
http://wixtoolset.org/schemas/thmutil/2010Hd#la0%Avira URL Cloudsafe
http://www.cloudcompare.org/0%Avira URL Cloudsafe
http://cg.cs.uni-bonn.de/en/publications/paper-details/schnabel-2007-efficient/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUCloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000000.4262184176.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
    		high
    http://ocsp.sectigo.com0is-TI1V0.tmp.10.drfalse
      		high
      http://wixtoolset.org/schemas/thmutil/2010vcredist_2013_x64.exe, 0000000D.00000003.4822154532.0000000001780000.00000004.00000020.00020000.00000000.sdmp, vcredist_2013_x64.exe, 0000000D.00000003.4636365367.000000000110F000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000015.00000002.5085142295.0000000003650000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000015.00000002.5084483777.0000000001620000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64.exe, 00000018.00000003.4935544989.0000000000664000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5477265200.0000000001220000.00000004.00000020.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000003.4938745251.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 0000001D.00000002.5072566210.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 0000001D.00000002.5072100212.0000000003490000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000021.00000002.5480500041.0000000003850000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000021.00000002.5478450343.00000000033E0000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://www.cloudcompare.org/qCloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.5134796951.000000000231A000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000003.5128550853.00000000024DD000.00000004.00001000.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exeOF_Pwget.exe, 00000002.00000002.4218195091.0000000000C30000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://ccsca2021.crl.certum.pl/ccsca2021.crl0swget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
          		high
          https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe?wget.exe, 00000002.00000002.4218195091.0000000000C35000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sis-TI1V0.tmp.10.drfalse
            		high
            http://appsyndication.org/2006/appsynapplicationapuputil.cppupgradeexclusivetrueenclosuredigestalgorVC_redist.x64.exe, 0000001C.00000002.5076405329.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001D.00000002.5069899828.00000000003BB000.00000002.00000001.01000000.00000014.sdmp, VC_redist.x64.exe, 0000001E.00000002.5066811757.00000000003BB000.00000002.00000001.01000000.00000014.sdmpfalse
              		high
              https://www.certum.pl/CPS0wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
                		high
                http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#is-TI1V0.tmp.10.drfalse
                  		high
                  http://www.cloudcompare.org/8http://www.cloudcompare.org/8http://www.cloudcompare.org/.2.14.alphaCloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4262642089.0000000002570000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000003.4270961139.0000000003480000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://repository.certum.pl/ccsca2021.cer0wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
                    		high
                    https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exeamDat0wget.exe, 00000002.00000002.4218195091.0000000000C30000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://wixtoolset.org/schemas/thmutil/2010(vcredist_2013_x64.exe, 0000000D.00000003.4821377116.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5480305652.0000000003510000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://wixtoolset.org/schemas/thmutil/2010lureHvcredist_2013_x64.exe, 0000000D.00000003.4821377116.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5480305652.0000000003510000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://appsyndication.org/2006/appsynapplicationc:VC_redist.x64.exe, 00000014.00000000.4828099835.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmp, VC_redist.x64.exe, 00000015.00000002.5083123529.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000015.00000000.4831471787.0000000000F8E000.00000002.00000001.01000000.0000000F.sdmp, VC_redist.x64.exe, 00000016.00000002.5080951014.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 00000016.00000003.4979220133.0000000000A19000.00000004.00000020.00020000.00000000.sdmp, VC_redist.x64.exe, 00000016.00000000.4844312637.0000000000E4E000.00000002.00000001.01000000.00000011.sdmp, VC_redist.x64.exe, 0000001F.00000000.5094031159.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 0000001F.00000002.5102159004.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000002.5472779495.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000020.00000000.5095675088.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000000.5098146674.0000000000EFE000.00000002.00000001.01000000.00000015.sdmp, VC_redist.x64.exe, 00000021.00000002.5473438320.0000000000EFE000.00000002.00000001.01000000.00000015.sdmpfalse
                      		high
                      https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe%wget.exe, 00000002.00000002.4218195091.0000000000C30000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.remobjects.com/psCloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000000.4268735582.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-3I2RF.tmp.10.drfalse
                        		high
                        http://www.cloudcompare.org/doc/wiki/index.php?title=RANSAC_Shape_Detection_(plugin)is-LVH07.tmp.10.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.cloudcompare.org/doc/wiki/index.php?title=RANSAC_Shape_Detection_(plugin)dtypehStandardis-LVH07.tmp.10.drfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://subca.ocsp-certum.com02wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
                          		high
                          http://www.cloudcompare.org/CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.5134796951.000000000231A000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000003.5128550853.00000000024DD000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.innosetup.com/CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.tmp, 0000000A.00000000.4268735582.0000000000401000.00000020.00000001.01000000.00000005.sdmp, is-3I2RF.tmp.10.drfalse
                            		high
                            https://sectigo.com/CPS0Cis-TI1V0.tmp.10.drfalse
                              		high
                              http://crl.certum.pl/ctnca2.crl0lwget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
                                		high
                                http://repository.certum.pl/ctnca2.cer09wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
                                  		high
                                  http://wixtoolset.org/schemas/thmutil/2010Hd#laVC_redist.x64.exe, 00000015.00000002.5085142295.0000000003650000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 0000001D.00000002.5072566210.00000000038C0000.00000004.00000800.00020000.00000000.sdmp, VC_redist.x64.exe, 00000021.00000002.5480500041.0000000003850000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://ccsca2021.ocsp-certum.com05wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
                                    		high
                                    http://wixtoolset.org/schemas/thmutil/2010andvcredist_2013_x64.exe, 0000000D.00000003.4821377116.00000000037DB000.00000004.00000800.00020000.00000000.sdmp, vcredist_x64.exe, 00000019.00000002.5480305652.0000000003510000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exewget.exe, 00000002.00000002.4218026127.0000000000B10000.00000004.00000020.00020000.00000000.sdmptrue
                                      		unknown
                                      http://www.certum.pl/CPS0wget.exe, 00000002.00000003.4217685738.0000000000B5F000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000002.4218174121.0000000000B60000.00000004.00000020.00020000.00000000.sdmp, wget.exe, 00000002.00000003.4217624341.0000000000B56000.00000004.00000020.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4267163060.000000007FB60000.00000004.00001000.00020000.00000000.sdmp, CloudCompare_v2.14.alpha_setup_x64.exe, 00000008.00000003.4265131544.0000000002570000.00000004.00001000.00020000.00000000.sdmp, is-3I2RF.tmp.10.drfalse
                                        		high
                                        http://cg.cs.uni-bonn.de/en/publications/paper-details/schnabel-2007-efficient/is-LVH07.tmp.10.drfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://appsyndication.org/2006/appsynVC_redist.x64.exefalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          162.241.226.205
                                          		unknownUnited States
                                          		46606UNIFIEDLAYER-AS-1USfalse

                                          General Information

                                          Joe Sandbox version:42.0.0 Malachite
                                          Analysis ID:1589812
                                          Start date and time:2025-01-13 07:57:45 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 17m 1s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:urldownload.jbs
                                          Sample URL:https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:36
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal56.spre.evad.win@37/669@0/1
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 145
                                          • Number of non-executed functions: 257

                                          Warnings

                                          • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, VSSVC.exe, svchost.exe
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenFile calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                          • Report size getting too big, too many NtSetValueKey calls found.
                                          • Skipping network analysis since amount of network traffic is too extensive
                                          • VT rate limit hit for: https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          02:03:46API Interceptor58x Sleep call for process: SrTasks.exe modified
                                          07:03:50AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {042d26ef-3dbe-4c25-95d3-4c1b11b235a7} "C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe" /burn.runonce
                                          07:04:10AutostartRun: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce {804e7d66-ccc2-4c12-84ba-476da31d103d} "C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" /burn.runonce

                                          Joe Sandbox View / Context

                                          IPs

                                          No context

                                          Domains

                                          No context

                                          ASNs

                                          No context

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          61b0fb.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):659624
                                          Entropy (8bit):6.34353451383787
                                          Encrypted:false
                                          SSDEEP:12288:FOB4p+q4N8d4l2ms4cTHN+m+gy/vEPYysExtvsIvXi1ZG2EKZm+GWodEEpvY/p:iAtvsIvL2EKZm+GWodEEpvYh
                                          MD5:C2028BA6C66363B36EA659CA8816265D
                                          SHA1:5E2BDA10AD417466290DC08FD6EE8BC5FCF0EBBD
                                          SHA-256:3B92E964404E3F94531E7D7C4C7419561D9ECA6ACCD98DC3979C9E3596DB444C
                                          SHA-512:28E87D7360C4BD2EB30152173DA6FDF30340B5FF0186A68F26514088DCC15758851AFD01A179E976A91A9A85F9C1EE0CFA40308ED9D42654739ACF6F6DD773F4
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C..=...n...n...n..*n...n...n...n..<n...n.@&n...n..>n...n...n4..n...nJ..n...n...n..=n...n..:n...n..?n...nRich...n........................PE..d...0.&Y.........." .....>...................................................`.......>....`.........................................PU.. ...p2..<....@...........G.......>...P.......X..................................p............P...............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data........P...8...@..............@....pdata...G.......H...x..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                          61b0fc.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):963240
                                          Entropy (8bit):6.63315431748134
                                          Encrypted:false
                                          SSDEEP:24576:Nj7dDxvo5outISmDa5HSueghSHkCvx44lmWymt+:NnLLSl1/Cp44h+
                                          MD5:B70474FE249402E251A94753B742788C
                                          SHA1:F53B3C21ADF75DC84977067869253E207F1B9795
                                          SHA-256:753AC30C30AAE62415CC225E3D057B8B6254AFE280696E0A43F1A7C3132632A6
                                          SHA-512:7776E05FE58CB3C12A4A020DEF9596ECFB6DC1B1F8CA010EC27A8AE027EADF1EEF901ACBAFE042E2F7B31D1920F62CE163342ACF37F96802EC27D68AC7BF972E
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d...$.&Y.........." .....h...:.......)..............................................C.....`.................................................p...(............@..hs...t...>......<...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata..hs...@...t..................@..@.rsrc................^..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................................................

                                          61b0fd.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):356528
                                          Entropy (8bit):5.9171117722289335
                                          Encrypted:false
                                          SSDEEP:6144:Qg5dgFfqaKFJyHrByeoVRAHq0KzA9OAgfVgYCDlbYh4:QOdcoVRAHqyeX0bH
                                          MD5:6D62E7D709CAAB4A459EDE82366853C0
                                          SHA1:D6DE1FAC72BA254538F2C754928CC35B3AB103AC
                                          SHA-256:5A357A9F10D55B70E50A04B0B6716263E678E877E0934F536CC82AA1C3072C25
                                          SHA-512:0D478FC2C9C5E7CB6A331A0E11156D85A8ECA2B99B1108DC145680F511051D83547FA56073B377212597B5B94B9A77E661178D2549A59AB251700733ED156CF3
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]j.]j.]j.T.{.[j.P85.Yj.../.\j.P87._j.P8..Pj.P8..Uj..#.Zj.]j..j.P8..Lj.P84.\j.P83.\j.P86.\j.Rich]j.........PE..d.....&Y.........." .....n...........L....................................................`..............................................>...D.......P..........."...2...>...`......................................`...p............................................text....l.......n.................. ..`.rdata...............r..............@..@.data...x....`.......F..............@....pdata...".......$..................@..@minATL.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................

                                          61b102.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5608096
                                          Entropy (8bit):6.663647971077495
                                          Encrypted:false
                                          SSDEEP:98304:gs3D53V9oVyhsK/HFLOAkGkzdnEVomFHKnPj:gs3hV9oVyt/HFLOyomFHKnPj
                                          MD5:47999145F1B48D94E732420A5F3E405C
                                          SHA1:29A8A95C4F8824CCD7BC14CC4CADA0545A8DFEF1
                                          SHA-256:FB83E940B281947CC8659611EF6AFA75C21A6626B1E70565D0A573F22A48B55E
                                          SHA-512:F13A52E9444AEE274092BE544C8558ED1BDF58046C983AF49815C6D75C4FD41A361917F3CFC07B3FCAEA69A628D23E7684E4BE939904CE473FC9A4D771355733
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........o.d...7...7...7..67...7..)7...7..(7...7..77...7.\$7...7<.>7...7.\.7...7.\.7...7..27...7...7...7.\&7...7.\.77..7.\%7...7.\"7...7.\'7...7Rich...7........................PE..d...*.&Y.........." ......*..d+.......(...................................... V......:V...`..........................................%:.......;.......?.......<.l:...TU..>....T.pl..p.*..............................3.p.............*.......:......................text.....*.......*................. ..`.rdata..$.....*.......*.............@..@.data...xj...`;......@;.............@....pdata..l:....<..<....<.............@..@.rsrc.........?......N>.............@..@.reloc..pl....T..n....S.............@..B........................................................................................................................................................................................................

                                          61b103.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5634720
                                          Entropy (8bit):6.648198427709692
                                          Encrypted:false
                                          SSDEEP:98304:gpUUemLg/t32Hf+/mm4FLOAkGkzdnEVomFHKnPF:gpAmLg/tcfu4FLOyomFHKnPF
                                          MD5:F7D3FC7C0ED92E2DE47F7F85B684A51A
                                          SHA1:1707DA9AA8460CB65AC7946805CEC12CCA6DB8B3
                                          SHA-256:D822EC4E09FDF5446E62C09CF5819146F09A4670F77AAA81E4133B912592F1F9
                                          SHA-512:FBCABF3B8CCE40A9829FB9894CDB751662CC3A3B41F962691075D7E5D18831AD8C43C697E7919B4B1E96288015BE3544637DED1AC0427844F810BE6C2F221A1D
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w................6.......).......(.......7......D$.....<.>......D.......D........2.........Y....D&......D..7....D%......D"......D'.....Rich............PE..d...*.&Y.........." ......*...+.....@.).......................................V.....LlV...`...........................................:.,....d;......p?......0=..<....U..>....U..m....*.............................0.4.p.............*......s:......................text...L.*.......*................. ..`.rdata........*.......*.............@..@.data...8m....;.......;.............@....pdata...<...0=..>...x<.............@..@.rsrc........p?.......>.............@..@.reloc...m....U..n...NT.............@..B........................................................................................................................................................................................................................

                                          61b104.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):91808
                                          Entropy (8bit):6.334619249503521
                                          Encrypted:false
                                          SSDEEP:1536:sHTxHw36oFacMvsFjFoTc+sgqv4G4DG/I8XJuE1ZwKfrEEeBL7OAvxsVuQbs0p:YTx2qvAD5I8XJuE1Zyv/OAvxsYQQ0p
                                          MD5:480F828BD5B34C59C288F55CB363CAD2
                                          SHA1:95499B7F1005666FB5D273C1B96E8FD239D95866
                                          SHA-256:431E7373DEE1EEE2AB86588DEA061394EDF14A364C026DD47582D982BEFB1D78
                                          SHA-512:C55021AC4B34F32B0C5BDDA842FC52756759723B57DA0F82407291EB928B90C71AA6F61C74B209DE14132530C4BD0DE838C64D34E6F746C76E10342001C67122
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8k..|.zC|.zC|.zC...C~.zCbX.C~.zCqX.Cx.zC.C}.zCqX.C}.zCqX.Cw.zC...Cy.zC|.{C..zCqX.Cj.zCqX.C}.zCqX.C}.zCqX.C}.zCRich|.zC........................PE..d.....&Y.........." .....@...........I....................................................`..........................................).......*..x....`.......P.......(...>...p.......d..............................@h..p............`..(...........8e..H............text....:.......<.................. ..`.nep.........P.......@.............. ..`.rdata.......`.......D..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........`......."..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................

                                          61b105.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):91816
                                          Entropy (8bit):6.335643438000401
                                          Encrypted:false
                                          SSDEEP:1536:XHTxEJCfkrRasNb3fvSpauyd/nbzLBinzG41ZwK4XEaZNFOAA6QEkbRx:3Tx1YH3XMapRBinzG41ZPwOAA6QEkFx
                                          MD5:D739C219492AEA851D4B71127B310E83
                                          SHA1:488401EC9413C025C5A7CE9AEDC0B7629579A4A6
                                          SHA-256:F0CFCC1A9CD9B246B53FE14FA2F77975763A6DE5FBB3A98CF5EA622BE0C62CEA
                                          SHA-512:A1DD96D1E3BD21382879C0B68B81B2740C14F5DAE9490800A9BD8534A7CF13030163D4149F56E602B903E4DF23A7F0B0B5B3F0F294E1C30B7BEBC4F89D971D7C
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8k..|.zC|.zC|.zC...C~.zCbX.C~.zCqX.Cx.zC.C}.zCqX.C}.zCqX.Cw.zC...Cy.zC|.{C..zCqX.Cj.zCqX.C}.zCqX.C}.zCqX.C}.zCRich|.zC........................PE..d.....&Y.........." .....@...........I....................................................`..........................................)......p*..x....`.......P.......(...>...p.......d..............................@h..p............`..(...........8e..H............text....:.......<.................. ..`.nep.........P.......@.............. ..`.rdata.......`.......D..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........`......."..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................

                                          61b10b.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):408656
                                          Entropy (8bit):6.395785800442683
                                          Encrypted:false
                                          SSDEEP:6144:SwuaGNPbmYpnAeJ/vxR8sqDF+/OAgDhvPsuye0axSXft7mA:Pu3NPblpn7J/vxisQ5Fyed+l7V
                                          MD5:406A784AAA43DC068BA5945119109012
                                          SHA1:85BAC30E041B6D85C0D7BA89FC8C05C69D264F88
                                          SHA-256:192E80290753E5A79C56367700A09181321C0984515F4C35E7EA8A0F245877BF
                                          SHA-512:56C4BA950BAFBB6F818BFF9E70EFE59546912A2B4F331C134C9D98B65C165A4251E7C6D60A58DDE9432E618EA9DEF07C57482AEA460B877C826BA5304E7248E4
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.e....W...W...W...W...W.D.V...W.D.V...W.D.V...W.D.V...WQ..V...W...W...W.D.V...W.D.V...W.D.W...W..W...W.D.V...WRich...W........................PE..d................." ...*.....F.......H.......................................0......&"....`A............................................,8...T..T........%.......5......PP... ..P....)..p....................*..(....(..@............................................text............................... ..`.rdata..j...........................@..@.data....4...p.......Z..............@....pdata...5.......6..................@..@.rsrc....%.......&..................@..@.reloc..P.... ......................@..B................................................................................................................................................................................................................................

                                          61b10d.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):322640
                                          Entropy (8bit):6.349528011750681
                                          Encrypted:false
                                          SSDEEP:6144:7uV4MxQCZKZ+dqA2xwNFMH5X9r69wB9RfRtOm+nWzgoH9e15Jl:CSaZKZLAYwNHwFR91zHmh
                                          MD5:8FC1C2F2EBB7E46DF30ECD772622B0BC
                                          SHA1:168BE3B4545DC617B99D0598565A03C0366820E4
                                          SHA-256:E2E4609C569C69F7B1686F6D0E81CE62187AC5DF05E0247954500053B3C3DE3F
                                          SHA-512:6F3EC746EC10334692E930B515A37F3D5BD342CA60A49C4298924BE933262D7D782DE8A11D4F865A30A5AA22C5515059E3E39A92A61AE5FAE53622CEAA7D5C4B
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i.H...H...H.......J...A...B...Y|..O...H.......Y|..L...Y|..@...Y|......Y|..I...Y|..I...Y|..I...RichH...........PE..d....i............" ...*.............................................................?....`A.............................................M...................p...5......PP......p...."..p...........................@!..@...............0............................text............................... ..`.rdata...H.......J..................@..@.data....?...0...:..................@....pdata...5...p...6...V..............@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................

                                          61b10e.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):575592
                                          Entropy (8bit):6.535312420736696
                                          Encrypted:false
                                          SSDEEP:12288:N9W8APqgSqvJP85TAv/kLRNKjxDJN7e12QEKZm+jWodEEVx7/:NPW9ILRwjxD62QEKZm+jWodEEb7/
                                          MD5:CFDF6EAF5328FECBDEC268B7F9E21F3A
                                          SHA1:100C8A08DE6544B8554A542AD55AF831F86565E7
                                          SHA-256:9057D39B36B6C7D054865EE2BF9CDE7A490FE3B01EC4E82514687E24F576269F
                                          SHA-512:A81FEB56AE3E4939ABB21597F4F60429B704E04E6C20FAC402A0518FE7B29606BF8824347A7570D98F3C44684C15BF6B520E350321BFC2A42EC5597989215782
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r..D...D...D....k..F...Mk!.R...D.......U...A...U...@...U...L...U.......U...E...U.M.E...U...E...RichD...................PE..d................." ...*.:...V...... $..............................................E.....`A........................................p2..h.......,............p...9...x..hP..............p...........................P...@............P..x............................text....9.......:.................. ..`.rdata..z....P.......>..............@..@.data...p8...0......................@....pdata...9...p...:...0..............@..@.rsrc................j..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................

                                          61b10f.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):35944
                                          Entropy (8bit):6.653057193822569
                                          Encrypted:false
                                          SSDEEP:384:Hjh/2cARGLSxXvQ5m9/U09dSzWc15gWWjg1gSt+e3RxB+R9zPmDnzHRN7LSpR9zF:HlWRGF5mZU0PSVkg1HNRxw9z+3eD9zF
                                          MD5:6DD04C14A17CAAE50D068FC89D7D01F0
                                          SHA1:4D2D12D7A0139C8248F9F9266982562ED402B8DA
                                          SHA-256:A65249861238E1C18B84AE5D112617C438D83A76B67EDDC170AD82DBC2338665
                                          SHA-512:9C04F015728D0F57E7B91E888505A0A288064529BF72DFB1F2C5FC571DB40C2CC118782B8544BEBC4E26B8BD189667FE65D13289A4F347B2805FF5EC5B9646AE
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.M...#...#...#.4.".}.#.v..{.#.n+ .}.#.n+'.x.#...".U.#.n+".z.#.n+&.k.#.n+#.~.#.n+.~.#.n+!.~.#.Rich..#.........PE..d....4.".........." ...*.....&............................................................`A.........................................@..L...LA..x....p.......`.......<..hP...........4..p...........................`3..@............0..8............................text............................... ..`.rdata..B....0......................@..@.data...P....P......................@....pdata.......`.......2..............@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................

                                          61b110.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):267880
                                          Entropy (8bit):6.5200682286945115
                                          Encrypted:false
                                          SSDEEP:6144:LLgFc7g9tEmUoGARVA9+VXgtF+hwvWY/q:ul9tbVA9+uF+0WV
                                          MD5:DDC38BB34DE28E1F42B6DEA9770D4D65
                                          SHA1:6FC98E48F5E738C82279ED0F445AC1DD9C4D02A3
                                          SHA-256:89E2E9A163165E20C540F9ADEA081E927DDFE4A556547B0F45F11586D4CCE165
                                          SHA-512:F4B07D80BE1E64F132DBC1AB2F29E4CA6B2CC589B348328937857CE9B578118497D6F39AFEBE49DD19E3665A8BAB92E441721613D4EBE873254AD0BEAD6F446F
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1U.zu4`)u4`)u4`)>La(w4`)|L.)y4`)d.c(v4`)d.d(}4`)u4a).4`)d.a(r4`)d.e(`4`)d.`(t4`)d..)t4`)d.b(t4`)Richu4`)........PE..d....\w+.........." ...*..................................................................`A................................................h...........................hP......x....R..p...........................`Q..@...............h............................text............................... ..`.rdata..............................@..@.data...`*.......&..................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................

                                          61b111.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):50256
                                          Entropy (8bit):6.650307191256275
                                          Encrypted:false
                                          SSDEEP:768:iI39vdGFBtDsnyFf+7gcPXepKn/U9zS68rFT9zy:39vI2yigcPXepKnkzS68rTzy
                                          MD5:333727166AF151E95B05CB54550342CD
                                          SHA1:746504C9056B83D9AF6F800905B80E864AAEA5F4
                                          SHA-256:FBF41E4B53F51BBF73FEE37B6120103FEA6B7D5AE29916F8EF50C50CFDEDEEAD
                                          SHA-512:2D9FA95A068784A8E799362FAF97B42253DBD614DA504907ED01D1F7F3FDC56D1BB964B2009171EDA87149A595D84EC83D50DAFF30BE9BD6F7A3C76C75226C40
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#B..pB..pB..p...qF..pK.|pD..pS\.qA..pS\.qJ..pB..p'..pS\.qE..pS\.q_..pS\.qC..pS\.pC..pS\.qC..pRichB..p........PE..d....w............" ...*.:...........>.......................................@............`A........................................0f..D...tk....... ..........8....t..PP...0..X...`X..p........................... W..@............P..H............................text....9.......:.................. ..`.rdata...$...P...&...>..............@..@.data...H............d..............@....pdata..8............f..............@..@.rsrc........ .......l..............@..@.reloc..X....0.......r..............@..B................................................................................................................................................................................................................................................................

                                          61b112.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):31824
                                          Entropy (8bit):6.837226224621119
                                          Encrypted:false
                                          SSDEEP:384:q4Dgv27sdWirEW5St+eASR9zy4gq2OHRN7BR9z2A:BgvkwOGe9zfU6r9z
                                          MD5:208CD115A93175DB7A8EE80B97E0CC28
                                          SHA1:789E0DA53C321D7A64C1435F569FDBFB249DFACD
                                          SHA-256:0E1D3D76E899A89FB3893FB13ABAE232FF62AD4F573214DD2F02B8398166BCC6
                                          SHA-512:8E0BF76440D64D2331FA9988F81850F646A91335C02A2028877ADD6190CF4CAC533CF22825D2F0565B854075CF70FF86CD728E2114284F2321E52B1B47004DE6
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..(3{h{3{h{3{h{x.iz1{h{:..{1{h{".iz0{h{3{i{.{h{".kz1{h{".lz4{h{".mz?{h{".hz2{h{"..{2{h{".jz2{h{Rich3{h{........................PE..d...A..4.........." ...*............@........................................p.......p....`A........................................p(..0....)..P....P.......@.......,..PP...`..,...."..p............................!..@............ ...............................text...x........................... ..`.rdata..B.... ......................@..@.data...p....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

                                          61b113.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):351824
                                          Entropy (8bit):6.052949543661257
                                          Encrypted:false
                                          SSDEEP:6144:akHIL35SLayPmH24CX70uADWIVKTxWJchBBhWwZgpvCiNnMniWcNNTy:jwp4aEZGli
                                          MD5:164561905F701BC680D654232BB5C4D1
                                          SHA1:ACEF59F34D1245169A671C32D69EB204DC5897D3
                                          SHA-256:8903B5D88968791D2A93648A54A1AC3D1C708C579A72311FFE194F6D66903043
                                          SHA-512:5237F7A722100167A0291B215F151F502AE615160E58D2130FB693289D3C87415EDBA3F0A96B11118117A574F58B50A348D21CE4A32987FABB5D9B4BBBC83887
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.."n..qn..qn..qg..q~..q.%.ph..q.%.pj..q.%.pf..q.%.pu..q%.pi..qn..q...q.%.p...q.%.po..q.%nqo..qn..qo..q.%.po..qRichn..q........................PE..d...*............." ...*.....................................................P............`A.............................................>..4 ..,.... ...........!......PP...0......p...p...........................0...@............................................text...F........................... ..`.rdata..............................@..@.data........@.......$..............@....pdata...!......."..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                          61b114.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):192104
                                          Entropy (8bit):6.460819297931624
                                          Encrypted:false
                                          SSDEEP:3072:q1+imylDoToQ9tZgCpybBqeMY3ov8cuNFmAEPPZsQ/JNT1nNQ:e93i8Q6IEBhMUoPOCpx/3DQ
                                          MD5:17CF948597BEFC68706E3121BB0ACDE6
                                          SHA1:D7F13076A2FBDE1F88127118EBD9BAA9C782BC71
                                          SHA-256:036B9B3F7ECE8DFD48AECCD77113721C5305043AAA9C64D1E72812252727AA7C
                                          SHA-512:28475DA6F70C355EC113CD41B2DB3CA0676B3F87495BEBFD76D916047D08B9F27DA7B7EC6F3EB9862BE1947DE163F68B96D12C6864EBD0036B997096728A8003
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........l.l.?.l.?.l.?...>.l.?...>.l.?...>.l.?..>.l.?..>.l.?...>.l.?.l.?.l.?..>.l.?..>.l.?..>.l.?..k?.l.?.l.?.l.?..>.l.?Rich.l.?........PE..d...&............." ...*..... .......g...............................................J....`A.........................................`......Hn..(.......................hP......4....C..p............................A..@............................................text.............................. ..`.rdata..............................@..@.data...d%...........`..............@....pdata...............l..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

                                          61b115.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):120432
                                          Entropy (8bit):6.602841735473839
                                          Encrypted:false
                                          SSDEEP:1536:R9TXF5YXWbj8qr51XlN+dULTCe1IGhKWyxLiyaXYaWEoecbdhUoTtHez9FazR:REnsvReGsWyxLizXFCecbd1Tt+i1
                                          MD5:943FC74C2E39FE803D828CCFA7E62409
                                          SHA1:4E55D591111316027AE4402DFDFCF8815D541727
                                          SHA-256:DA72E6677BD1BCD01C453C1998AAA19AEAF6659F4774CF6848409DA8232A95B2
                                          SHA-512:96E9F32E89AEE6FAEA6E5A3EDC411F467F13B35EE42DD6F071723DAEBA57F611DBD4FF2735BE26BB94223B5EC4EE1DFFEDF8DC744B936C32A27D17B471E37DCF
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..E3f..3f..3f..x...1f..:.].8f..3f...f..3f..2f.."...#f.."...,f.."...&f.."...2f..".1.2f.."...2f..Rich3f..................PE..d....<............" ...*.$...d......................................................k.....`A........................................0u..4...d}..........................pP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B........................................................................................................................................................................

                                          61b116.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):49744
                                          Entropy (8bit):6.702924040492291
                                          Encrypted:false
                                          SSDEEP:768:qzzO6ujT3MbR3v0Cz6SKLq83yN+iRxw9zv6JmEpw9zF:3q/o1j3c+iIzv6JmEp4zF
                                          MD5:05052BE2C36166FF9646D7D00BB7413F
                                          SHA1:D8D7C4B322D76E3A7B591024C62F15934979FE40
                                          SHA-256:26E470B29BED3D873E0C328186E53F95E9EDBFE0B0FD0CDA44743A0B1A04A828
                                          SHA-512:0460CC66D06DF9A2941607473F3ECCFD909F2ADAB53A3328FADCEDD1B194B388ECA738C2C6C2E193DE33606925FBED1FE39EFA160015128E93F5E3A03C62170D
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\..\..\...]..\...]..\..O\..\..\...\...]..\...]..\...]..\...]..\..#\..\...]..\Rich..\........PE..d...=............." ...*.<...8.......@..............................................U0....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

                                          61b11c.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5622864
                                          Entropy (8bit):6.7472704207598255
                                          Encrypted:false
                                          SSDEEP:49152:oAq8lW0qJev85e6u9Pq7ao/prvFl4DER1Oh9B3LGcttK5kFDvGtMuSwIbFLOAkGF:g/eENpIfDvFLOAkGkzdnEVomFHKnP
                                          MD5:277949968E022B74D4370E94AAA70D76
                                          SHA1:0902D716F2966DFBC8ED32237F00DB52FB1A9EA9
                                          SHA-256:3916D6406CBD63B81300989EFF24042FD16A1344EDD9904E6093A1619853B9B8
                                          SHA-512:3452E7DD91158AE1474DBD838C5AFB4F281F4A0F0D0C9F665506108555DC087C9086257D70643F7281200C19638D4059679E9D1E610F8E935A447428D32B38ED
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......7.qs.."s.."s.."8..#r.."8..#r.."8..#i.."z.u"g.."b3.#w.."b3.#{.."8..#`.."s.."a.."b3.#i.."b3.#.."b3.#u.."b3.#r.."b3."r.."b3.#r.."Richs.."........................PE..d......%.........." ...*..,...(......&,...................................... V......\V...`A.........................................C:.d...D.;.......?.`.....<..5...|U.PP....T.,o...O5.p............................A..@.............-......0:......................text...\.,.......,................. ..`.rdata...u....-..v....,.............@..@.data....4....;......j;.............@....pdata...5....<..6...8<.............@..@.didat..H.....?......n>.............@....rsrc...`.....?......t>.............@..@.reloc..,o....T..p....T.............@..B........................................................................................................................................................................

                                          61b11d.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5658192
                                          Entropy (8bit):6.729941320562663
                                          Encrypted:false
                                          SSDEEP:49152:pokzXd4MY7BVr/PXbGtet2cC5AR2YM7F24LSN7iMN3yDFFxkhkOuSwIbFLOAkGyW:aMc3EbFuFLOAkGkzdnEVomFHKnP
                                          MD5:3D3FD261916A8327667BBD66C4C53C80
                                          SHA1:DCE287AD815A91C4F80EA05F565C47A605E0F07A
                                          SHA-256:DD502923934ED248EC3A1417142306542C8023536637B650AFD8930859A9B2AD
                                          SHA-512:9E7EFF71B829F24F65B5A4CE5DC429AEB4BC8F5F188F83B17FC8796B610B541E13849AD4A7B98CE11E0E6675F9016D7E6A9D81280D1F7AE054E8AA072B522F08
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.qo.."o.."o.."$..#n.."$..#n.."$..#u.."f.t"{.."~3.#k.."~3.#g.."$..#|.."o.."o.."~3.#u.."~3.#..."~3.#i.."~3.#n.."~3."n.."~3.#n.."Richo.."................PE..d...g..q.........." ...*..-..P)......N,.......................................V......`V...`A........................................0.:......;.......?.`....@=. 8....V.PP...0U.<p....5.p............................q..@............0-.X.....:......................text.....-.......-................. ..`.rdata..V....0-.......-.............@..@.data....7....<.......;.............@....pdata.. 8...@=..:....<.............@..@.didat..H.....?.......>.............@....rsrc...`.....?.......>.............@..@.reloc..<p...0U..r....T.............@..B................................................................................................................................................................................

                                          61b11e.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):96416
                                          Entropy (8bit):6.387028558514212
                                          Encrypted:false
                                          SSDEEP:1536:Ffibqlvn7yWaoVe3EFZR0dhua0swuOcKiIzp/ISAHIEzfwzdB:gbampse3WR0dhua0s+ZDzp/xAd0n
                                          MD5:58B613899800EB4B690984E1C78BD31F
                                          SHA1:D827BA4A4E59C78D11C61B9C5BE78C8DDD5B74F4
                                          SHA-256:9B53E19B5F96DE66CD3992169009146AD08F2F042CC0AED4191E1F0B1068891F
                                          SHA-512:9767AD3BD377DF7E3818E98FDAC794F5147FAECA9680DB568E96BED173206B71FE59FFA2B031A182BACC37EA440D329BF03FE3EF30EA72CE655EEBE2DDC6B677
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f...f...f...-..d...x.s.d...w\.`...w\.e...w\.n...o.s.b...-..c...f......w\.A...w\..g...w\..g...w\.g...Richf...........................PE..d................." ...*.F...........P....................................................`A........................................./.......0.......p.......`.......(...P...........y..p...........................px..@............p..x............u..H............text....A.......B.................. ..`.nep.........`.......F.............. ..`.rdata.......p.......J..............@..@.data........@......................@....pdata.......`......................@..@.rsrc........p......."..............@..@.reloc...............&..............@..B........................................................................................................................................................................................

                                          61b11f.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):96384
                                          Entropy (8bit):6.3866070308269265
                                          Encrypted:false
                                          SSDEEP:1536:gfLGx5FuyPQoYdlu3eMOZRZBJG00swuYKtzyzVfMIJknzUizd6K/z4:UGtIlPRZBJG00sjZifMa6UilE
                                          MD5:76D7D08147A8F109A69C7A9871D3BED7
                                          SHA1:E7DC5E4AE364998A555875EC7AA1614CEE78D87C
                                          SHA-256:99328025DD44FBF310280E83CB0F17AA0D0420446A08768A8910D70B6D8C94F7
                                          SHA-512:BDED655AEFC386ECA685A0B47285CCBBB090DE4D654C88198C7CA87AF4FC9F7C7BDF3268D7E0414263100E03F6B7AD7CD087CDB9DBD6062613BE47AF5B23CF59
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f...f...f...-..d...x.s.d...w\.`...w\.e...w\.n...o.s.b...-..c...f......w\.A...w\..g...w\..g...w\.g...Richf...........................PE..d....o............" ...*.F...........P..............................................v.....`A........................................./.......0.......p.......`.......(...P...........y..p...........................px..@............p..x............u..H............text....A.......B.................. ..`.nep.........`.......F.............. ..`.rdata.......p.......J..............@..@.data........@......................@....pdata.......`......................@..@.rsrc........p......."..............@..@.reloc...............&..............@..B........................................................................................................................................................................................

                                          61b120.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):51304
                                          Entropy (8bit):6.319038641792757
                                          Encrypted:false
                                          SSDEEP:768:fdzvsX5V9tLkr8yTby97DVLXg1HPV9zJWH14e9zfFn:lz0X5V9tLU8CbyBVLUHPnzJWKazNn
                                          MD5:9CBBA8B64FEB8167093BEF01055D4547
                                          SHA1:4E95E671E9D818764ED76F4AE5D9A4BEB1ED24EA
                                          SHA-256:1DDE587FEABACF34CE435DB596815563732F3E42E595EE5C0766115483FA22AB
                                          SHA-512:694BEA161CE3E0E6C17BD8A84E14FA83FFFE122F833808D586BB8D67546553A711B417433AA14D963DF6F82D52118428721F2C8932DE52E324E2CA27CEDFEB80
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d.....v.........." ...*.....v............................................................`A......................................................... ...s...........x..hP..............p............................................................................rdata..t...........................@..@.rsrc....s... ...t..................@..@......v........X.................v........l.................v........$...L...L.........v............p...p...........................RSDS.i}...W...r.......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140CHS.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02.... ....i}...W...r...S..&7........v........................................................................................................................

                                          61b121.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):51280
                                          Entropy (8bit):6.3571761032627
                                          Encrypted:false
                                          SSDEEP:768:QLfucVI4r/7kYw4JUM3i/EhW8QkF9z6Y6X1Rxw9zlxo:SucVI4r/4YJUM3XhW8Q+z16lIz7o
                                          MD5:67AAD6CAC0716E4B9A2ED43319FF3BC4
                                          SHA1:EEF641F1E2601ADFEEE172F07A51D15FBE8DAA83
                                          SHA-256:97296F66478F3DDE87565A867F159E98C0B751C067491978D26987EC8609B334
                                          SHA-512:E0F034831D535DFECAAC8A98454F6A982FE89FE7B14B5F8FE35FF15EBFD4E64AA74830520654DC94CAD46BBFA13F5A32D756789720B564C3791212C6F74C41FC
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...,/............" ...*.....v............................................................`A......................................................... ..8s...........x..PP..............p............................................................................rdata..t...........................@..@.rsrc...8s... ...t..................@..@....,/..........X...............,/..........l...............,/..........$...L...L.......,/..............p...p...........................RSDSJ.v....y..3.@+....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140CHT.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02.... ...J.v....y..3.@+...x..9CX...,/..........................................................................................................................

                                          61b122.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):79976
                                          Entropy (8bit):4.994443234085317
                                          Encrypted:false
                                          SSDEEP:1536:3VPidQr0UZqnn0BDekPS6VFaGCWKZ+e0petNSaBhp0vcsjsr8gWb8C1dCuf9AH5b:3VidQr0UZqnnSekPS6VFaGCWKZX0Whpx
                                          MD5:D97E3D56F2ACBD54671CDC2496AA02B5
                                          SHA1:D5943EF3E74C98734B43630C9FD7F6B123FD2FA3
                                          SHA-256:F0D3A39951FCCF41429E087BF87523C261B292AEF2416BAD6C606C3A8EC3799B
                                          SHA-512:B2C33A9BC9B4D174804C14FE3DB71306149B36CE760C2939D8FB8FB4E6F34DFCB3629FA5CE7F6BADDD6BBA4297D7BE9B84FCA45B5F3BD70CE7893ADC7C05C868
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...{............." ...*............................................................M.....`A......................................................... ..0...............hP..............p............................................................................rdata..t...........................@..@.rsrc...0.... ......................@..@....{...........X...............{...........l...............{...........$...L...L.......{...............p...p...........................RSDS:.lg..&.9...n....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140DEU.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02.... ...:.lg..&.9...nu..j.[....{K{...........................................................................................................................

                                          61b123.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):70256
                                          Entropy (8bit):5.150852428474578
                                          Encrypted:false
                                          SSDEEP:768:+VGijcBEhCgyDOAu1HLPLNqyf/nWHBNhdBU2fd5eg1HGK9zbBK9zk:+V9zfyDOAuhPLNXf/nWHNfdBHTzbczk
                                          MD5:D92BAFE14939B60093AAE336340D4CFD
                                          SHA1:8E017CF296BAF7D6EB9C47A7C688FC8C3FBB7FE7
                                          SHA-256:DC7BBA5E343A56E61BBC90DD497ED397339731FCD50F42B0D7825BC787EE16B0
                                          SHA-512:784FFFAE7A50F6991828C4113719426DE083D60B52490E9034FB29C5C32787C252456ADE1753D493367BBCC06039C620E220C2A4A278AA8057A239C25B7A5152
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d....N.7.........." ...*.............................................................U....`A......................................................... ..................pP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@.....N.7........X................N.7........l................N.7........$...L...L........N.7............p...p...........................RSDS...]n.j..5.K......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ENU.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02.... ......]n.j..5.K....}.o.4...{..N.7........................................................................................................................

                                          61b124.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):78952
                                          Entropy (8bit):4.971589823131607
                                          Encrypted:false
                                          SSDEEP:1536:Zwq6Nk6B/iKuFm3OKWxRZ/IWHypz0NEp4zGb:Zw5lB/+HIWSpUXab
                                          MD5:5110F40A05DBC4CCC02260ECC2A002CA
                                          SHA1:DF3B1EAC64186ECB08D7D11966037B879AB3112C
                                          SHA-256:F8C5517246DE29946CDCFD46EEEE6D021FF9271C2ED806BCD37572C8E44AC9FB
                                          SHA-512:65F1E857E4B2DEF041B423AA803AAAD6BA5543320085362EB9944ECC2ACEC08007081C5F068550FC3A610AA2B2D7592BF5F5F49BEE80091C7A704CE727460D92
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d.....y..........." ...*..................................................................`A......................................................... ..................hP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......y.........X.................y.........l.................y.........$...L...L.........y.............p...p...........................RSDSLsK....}...[.......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ESN.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1..`....rsrc$02.... ...LsK....}...[.......8..qn....y.........................................................................................................................

                                          61b125.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):79976
                                          Entropy (8bit):4.975449677987261
                                          Encrypted:false
                                          SSDEEP:768:g26iNYajZELnDYFmNRYxAaTafCp5eQYZmZUjyyyyyyyyyyyyyyyUGQFUbWTVNeEa:gNuqLnD6A2SCHu0jjHCzlJzW
                                          MD5:D2A0439EBD5E8CFBFECFDA82C0EF2669
                                          SHA1:CD8E8639F8B0F8526A7297255FD97DD2CD22BF5C
                                          SHA-256:F5C53DDF07223DD3DC25276DE42FC3958EC1B9EE6EB4F385680159C056B6F22E
                                          SHA-512:57C12D3F1F4DA9177165F09477287826BE1C221BBCA18AEAE5D4CC840DE3AEA3CB0C6317A43714FB8DD13E1E186A654275EA62D7C286A8DC2E04A6D17332B7D5
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...f]............" ...*.............................................................T....`A......................................................... ..x...............hP..............p............................................................................rdata..t...........................@..@.rsrc...x.... ......................@..@....f]..........X...............f]..........l...............f]..........$...L...L.......f]..............p...p...........................RSDS.S8...4..C...+.....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140FRA.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02.... ....S8...4..C...+..O......_...f]..........................................................................................................................

                                          61b126.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):77936
                                          Entropy (8bit):4.979078290008832
                                          Encrypted:false
                                          SSDEEP:768:pRE6XaCyqbK15MRQwgDGxNIlW3jSCQQQjeqS1hDDg1UWTVwg1HpD9zcFB7K9zE:pnass5MRQwgSxNIlW3GoiTTHppzcrCzE
                                          MD5:C081990436336CD6A1FE8E6986FA004C
                                          SHA1:DCBF030AE874A24AA266C57E0676869ECA9739AE
                                          SHA-256:37BBAED22D80172C5BD8019DAF95B9C8C051E561AACF232E6C07A09E702B2273
                                          SHA-512:2C0CBDEF8F8BAF3969FC8FC0345B2E75737FB368AD6D31A030741EDC4168EAB450A6608F783C7CCE81AD77DE1BBF3520D44A1A062458090F02ABCEC08576A0B0
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...<.wz.........." ...*..................................................................`A......................................................... ..X...............pP..............p............................................................................rdata..t...........................@..@.rsrc...X.... ......................@..@....<.wz........X...............<.wz........l...............<.wz........$...L...L.......<.wz............p...p...........................RSDS...}.....>#..L......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ITA.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02.... ......}.....>#..L..4...P...Z.H.<.wz........................................................................................................................

                                          61b127.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):58960
                                          Entropy (8bit):6.151712284541509
                                          Encrypted:false
                                          SSDEEP:768:JanVn/y+fJxsr10/eu9RHreBNBXV9zJWDC635rF9zw:Unp/y6gunwfnzJ8C6JDzw
                                          MD5:D9B8C007A3B3D0CAB3B7CE95CD93B4ED
                                          SHA1:4509FF52489358475BC83D569F0011DB8CBF53A9
                                          SHA-256:0CFC2226385F2EE8FAC530B1DE72B87B3BCDD14732A23A545F989E38E965A822
                                          SHA-512:71755ACFD4031F9EAE868431A056C3E37F49926AB78EE7E2EDB956CB42F675A384D416DA6F48D107B0C5D8AD382618C1091E18A4AFF5DFCA757667D56E4C8DDB
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d......_.........." ...*............................................................,.....`A......................................................... ..................PP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......._........X.................._........l.................._........$...L...L.........._............p...p...........................RSDS.....~.x...!.@....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140JPN.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1..p....rsrc$02.... ........~.x...!.@. .LL<........_........................................................................................................................

                                          61b128.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):58472
                                          Entropy (8bit):6.272332121552409
                                          Encrypted:false
                                          SSDEEP:1536:tr51TNQRqNAx2I7CvqQHPnzJFbC4dezFO:tr2EAspvnNnIs
                                          MD5:E10B9371A0746AF285BD2C78931CAB4F
                                          SHA1:3FA036FB2882C5C9457DD436951CAC12AB6060A7
                                          SHA-256:3D3E43E6F2E305F7F2FC97E74E4CEF7037A56E075AB41FB359FA445AB5CBB786
                                          SHA-512:80717FC26B2438955770FED6EDAE0E2FB49AC8FAB57AF3B827275C2FFD1F8A563803983C1A2E206FD5940DF0705FF1EC1526F1C0C9A4E87D750CC8FE1D8F9385
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d..............." ...*..................................................................`A......................................................... ..................hP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@..............X.........................l.........................$...L...L.....................p...p...........................RSDSb)'.]E.r....5C\.....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140KOR.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1...~...rsrc$02.... ...b)'.]E.r....5C\.4.......FfEB..........................................................................................................................

                                          61b129.rbf (copy)

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):75856
                                          Entropy (8bit):5.502784487678861
                                          Encrypted:false
                                          SSDEEP:768:JNv/gFXOvJWiqNWTMHVhtZgFckD906FT9zFH96f9zzCK:D6XOvJqhTWG6TzH6lzB
                                          MD5:FAAB772287C97342BE72B98443575F04
                                          SHA1:2296D3CF50C75DEB4DBEFDCE939D9EE1D0FE9E27
                                          SHA-256:577E3273049C6E4115030B3D2A1977AC4265C246697583CEB28A4E99457199A6
                                          SHA-512:960D7CACBA0D059E820D39DAFD245CF30203819634521D905B6EF001FDE43A3C9A7876BD95595FACB5F152F4042B1C80E16A04EE05BD41C65464E927569212C8
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d.....y..........." ...*.............................................................G....`A......................................................... ..................PP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......y.........X.................y.........l.................y.........$...L...L.........y.............p...p...........................RSDSj.w....W.K...~.....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140RUS.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.. ....rsrc$02.... ...j.w....W.K...~.:..L...E.YL..y.........................................................................................................................

                                          C:\Config.Msi\61b0fa.rbs

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):15124
                                          Entropy (8bit):5.534114621006713
                                          Encrypted:false
                                          SSDEEP:192:L7JXuj2IYcwcn1W0FSeB1n9AkIqn9AkJpFEXENNepdG:L7tuj2IYcwqe6eK5
                                          MD5:DF73049310B43BD900F803C03EEB8F65
                                          SHA1:F63A7608C4A3DA4297616E5445E4A7319C30CB48
                                          SHA-256:DD136E303870AE9D6E46CE9B467F24CBE1C02821D4C7F0E78D1056F94B066444
                                          SHA-512:0410A867C82A2AEF0F6478872B8EF3F655501AA384032362BD4D9F0BB33BE56C109B8793EC7A3370C2B0FC84C98644243433458AED1680A56C54C983236908C7
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@y.-Z.@.....@.....@.....@.....@.....@......&.{53CF6934-A98D-3D84-9146-FC4EDF3D5641}:.Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664..vc_runtimeMinimum_x64.msi.@.....@....@.....@........&.{F8853551-4D30-4D6A-B36A-93EFAD4EEE03}.....@.....@.....@.....@.......@.....@.....@.......@....:.Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{BC1F4291-6F0A-38EB-984E-C2E555837FE1}&.{53CF6934-A98D-3D84-9146-FC4EDF3D5641}.@......&.{E5B92048-5859-4AF1-AEAD-B97EBF00B087}&.{53CF6934-A98D-3D84-9146-FC4EDF3D5641}.@......&.{570C624B-D57C-4CD1-9013-1B80C800093B}&.{53CF6934-A98D-3D84-9146-FC4EDF3D5641}.@......&.{14E8634F-8AEA-4CD1-AC48-BEBFDA18523A}&.{53CF6934-A98D-3D84-9146-FC4EDF3D5641}.@......&.{4C723A6F-9201-44D8-BE75-E08B5D104F85}&.{53CF6934-A98D-3D84-9146-FC4EDF3D5641}.@......&.{EFA0F8A1-F16D-4E44-8EE4-2CD86E1D12F4}&.{

                                          C:\Config.Msi\61b101.rbs

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):21956
                                          Entropy (8bit):5.385907987024206
                                          Encrypted:false
                                          SSDEEP:384:LtT8MgXEtmrnb0MM0Is+AfCuS588Uxx+l6lBFXDcpO:LtT8MgXEtmrnb0MM0Il8xl
                                          MD5:3F301E76CA2F44E7E39C1F5EEA02FEA5
                                          SHA1:F4CA9CD8DB681068F35128522DF635931E608182
                                          SHA-256:E8EEE53873E2474C7DECBC81EBFE613326702221A8A82BB25E2E00A0DFC819AE
                                          SHA-512:5EAA3E07B2600070A82804F50D6186FDC3B4CBB0D2D820BDECD63BCFF2114EAD2CC2E019BCB073D51BC87EF355EC8A1895B184F412A6FB02540CC353B9D4DF99
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@y.-Z.@.....@.....@.....@.....@.....@......&.{010792BA-551A-3AC0-A7EF-0FAB4156C382}=.Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664..vc_runtimeAdditional_x64.msi.@.....@....@.....@........&.{A1135D47-2E01-4DE6-AB19-25679EC5D3CF}.....@.....@.....@.....@.......@.....@.....@.......@....=.Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{191E6DE4-E7B2-3CE9-B48B-25D0FFF3D88E}&.{010792BA-551A-3AC0-A7EF-0FAB4156C382}.@......&.{E70078E7-D25B-421C-A415-0AB472053F72}&.{010792BA-551A-3AC0-A7EF-0FAB4156C382}.@......&.{7D2EA505-A879-4E71-8632-F3DE9B679CE6}&.{010792BA-551A-3AC0-A7EF-0FAB4156C382}.@......&.{1F74928D-AA17-468C-A7D7-6A730A8DB25B}&.{010792BA-551A-3AC0-A7EF-0FAB4156C382}.@......&.{ECA05A2B-D2CC-43F5-B3B4-6501C6C75D8B}&.{010792BA-551A-3AC0-A7EF-0FAB4156C382}.@......&.{ABE93925-6BF3-4948-90FF-1E4DF15

                                          C:\Config.Msi\61b10a.rbs

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):19481
                                          Entropy (8bit):5.418065012904404
                                          Encrypted:false
                                          SSDEEP:192:noNR9oyQlYLWR9+yQlY75+XGqGIara8R2OMyOW5WcvQgKxBFUHZu4KNWKQzh7q/m:nuRUlpRGlKFCA
                                          MD5:B9BE5509FBFFDCA13909A999F117FE74
                                          SHA1:F8D4D203C4B6A159ED4F196C4945B6E8A091FF7A
                                          SHA-256:F2E2AEBDF477BEB4612AF333CB93ED55EE8E910467F12CCA897C27312837AACB
                                          SHA-512:E1B88DFAB484E7E310D1C198DE65ADD4A0BEEFF406A1570874C4B334C83E07C79B7AA3CDC661AAA7E03CF57868FB94F21A30C2269C568A09D70699F4D3BD7D9A
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{D5D19E2F-7189-42FE-8103-92CD1FA457C2};.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532..vc_runtimeMinimum_x64.msi.@.....@..$..@.....@........&.{4E8C8C37-B448-4BB0-8A8B-F640B3239F71}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F2E91D5D9817EF24183029DCF14A752C\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\8b6a7.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\F2E91D5D9817EF24183029DCF14A752C\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ......

                                          C:\Config.Msi\61b10c.rbs

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):22326
                                          Entropy (8bit):5.407217979431826
                                          Encrypted:false
                                          SSDEEP:384:n1Ipt1tdtgt+tQtHtMtOt0tftetltGt6tMMN4hIdxGOoln3K/k0Aorje0AorXkRz:nmXfGY2N6oCF4HgM/knj
                                          MD5:EDD989A4EF1A113225983E9D238461EC
                                          SHA1:AA696AC037D244CFD04935861E281517CA71595A
                                          SHA-256:924B504E87552DA7BF0F1B1216D8AD3D0F5886D4F964AEC7DF61011B736A7398
                                          SHA-512:A3340BC528AFF91D446C6935E647AB300FDE7A8D15956321C288A13C116AD10BBAA8802BD0F14ABD4F16E067BC37F444A8B25E2E8674A0FAAF46F63EC20FAEBA
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{382F1166-A409-4C5B-9B1E-85ED538B8291};.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433..vc_runtimeMinimum_x64.msi.@.....@..*..@.....@........&.{A75B920C-55CD-4531-932F-CB4C539C41F8}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}&.{382F1166-A409-4C5B-9B1E-85ED538B8291}.@......&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}&.{382F1166-A409-4C5B-9B1E-85ED538B8291}.@......&.{B33258FD-750C-3B42-8BE4-535B48E97DB4}&.{382F1166-A409-4C5B-9B1E-85ED538B8291}.@......&.{4AF15CBB-F5C1-4468-A694-C5A03A2238D5}&.{382F1166-A409-4C5B-9B1E-85ED538B8291}.@......&.{2427B123-F132-4F0B-A958-50F7CDFCAA56}&.{382F1166-A409-4C5B-9B1E-85ED538B8291}.@......&.{22824972-0C4A-31B4-AEEF-9FC7596F1305}&

                                          C:\Config.Msi\61b11b.rbs

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):22409
                                          Entropy (8bit):5.376235263079868
                                          Encrypted:false
                                          SSDEEP:384:mZRHl4R2lmVH3WLWsdfPjFuzYZWxhMClaISYD63Jh1:mvH62cVH6axA
                                          MD5:2C17F49B50B189FEF75E701CBE6344F1
                                          SHA1:A2B46E23877D75CDAAAE95231DA993F98C7F4346
                                          SHA-256:A2CDB80F6371CCE6B8188EC6EC65C4C9010E16654EE4D55A47EA56FBF5FC493E
                                          SHA-512:544F1428E51E63E7DB44E6E979FBC3FE002FD7BB077CCCB67BF0A8BAAFDD841EE766A44E7D9B040446BEEFE0EE6B2D76106ABA2CFAD380B66C62E86240754CAD
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{0025DD72-A959-45B5-A0A3-7EFEB15A8050}>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532..vc_runtimeAdditional_x64.msi.@.....@..$..@.....@........&.{DD2B5EB1-E08E-45CD-8D47-2D0457D64BA3}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\27DD5200959A5B540A3AE7EF1BA50805\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\8b6ab.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\27DD5200959A5B540A3AE7EF1BA50805\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... .

                                          C:\Config.Msi\61b12a.rbs

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:modified
                                          Size (bytes):21765
                                          Entropy (8bit):5.337426787015097
                                          Encrypted:false
                                          SSDEEP:384:mgPEsZBwNx7pxqUjy4O3JKsalckU72eC647vpSlwlwINIDYJBy:mgPEsZBwNx7pxqU2v3JE7xSlchNID4By
                                          MD5:17A5EBF338A2613E6CB2328E2FB3382C
                                          SHA1:DFA21969BD6B6BBCB566351A1C92E4514E978EFB
                                          SHA-256:A6C643EF092580E830558FBDC7B6FD6D89D25BCC69166482965D93F3B834BCCE
                                          SHA-512:02A76E1F81BC52A1218276AB5DD80EA7BFBF6A554B1E05D89DA4B4751DED63524D05F1AFA11CA5310E4CEE75DEC1D30A2D8EDF36E93D2751E69D0A83BD5B2468
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{E1902FC6-C423-4719-AB8A-AC7B2694B367}>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433..vc_runtimeAdditional_x64.msi.@.....@..*..@.....@........&.{E04E511C-7D1F-4263-AB6A-F816392FD4D7}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}&.{E1902FC6-C423-4719-AB8A-AC7B2694B367}.@......&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}&.{E1902FC6-C423-4719-AB8A-AC7B2694B367}.@......&.{99A922E3-648F-3C37-8AE6-78232F317B1E}&.{E1902FC6-C423-4719-AB8A-AC7B2694B367}.@......&.{8924DA15-E863-388D-A06B-E7A3931AD77B}&.{E1902FC6-C423-4719-AB8A-AC7B2694B367}.@......&.{32252141-0BE5-3AFE-9849-D281CD954D43}&.{E1902FC6-C423-4719-AB8A-AC7B2694B367}.@......&.{AD221A2C-956B-3F16-8F64-FC938

                                          C:\Program Files\CloudCompare\CCAppCommon.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):649728
                                          Entropy (8bit):7.039680213745585
                                          Encrypted:false
                                          SSDEEP:6144:MQOW+qYe7k6z8Mm6VKLjg1SL41q6iecU5PyAWIMWvh2MHg/sKuHNsEYhr/0p4D53:MQfi+r4w1SyqdexyHnMYsKutsEYR8pm
                                          MD5:31670756C84482C651BB895F9A6B87E5
                                          SHA1:A543B94A82DAD65923F4F2A666D5BB7020811BC8
                                          SHA-256:980069AFCB062404F1ACA91CACD514C28E55513244B44141D29359369EF950CB
                                          SHA-512:C1C1B5B88AB548A518CAF295954A3E833B0F7393ABF55011130707B76BF024034713313D8323026F2AD91D3ECB8635D7914AC336E3E627FEBB4C006657D509EE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.....,...,...,.}i,...,.m.-...,.m.-...,.m.-...,.m.-...,.}.-...,.}y,...,#u.-...,.l.-...,...,...,.l.-...,.l.-...,.l.,...,.l.-...,Rich...,........PE..d...z..g.........." .....l..........,Z.......................................0............`..............................................?......@...............\............ ..H........................... ...(... ................................................text....j.......l.................. ..`.rdata..j=.......>...p..............@..@.data....%..........................@....pdata..\...........................@..@.rsrc...............................@..@.reloc..H.... ......................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\CCCoreLib.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):722944
                                          Entropy (8bit):6.461841037101138
                                          Encrypted:false
                                          SSDEEP:12288:+DGOd2K9pFsPqEbVqbo16ITqX5PBxH4UdAWhZ5HXJKl:iddZ9pFViVqRIM5ZrZ5HX4l
                                          MD5:EA03FE27DF3672898090FE652DCAFDF1
                                          SHA1:A4C555ABE482DE8A409DE9CB2B04B39458A47B94
                                          SHA-256:B8D52C7B6F5407F8FBB89EDA8F0D09DBF13665324B1B48CE08602EB5CEB915BE
                                          SHA-512:BAE517ACA75A646596201B977A04D8B0F08AA01777B387700AF3E2D155958C0CECBC944AC2C856661223B1DFB1888EDD7DD6E4DA99891CDBE4D97467D79D987A
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.......f...c...f...b...f...e...f...g...f...g...f.......f.*.g...f...g...f...c...f...f...f.....f...d...f.Rich..f.........PE..d....{yg.........." .........V......`{.......................................`............`.........................................``.......e.......@...........U...........P.......<.......................=..(....<...............................................text...F........................... ..`.rdata.............................@..@.data...XB.......<...l..............@....pdata...U.......V..................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\CCPluginAPI.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):216064
                                          Entropy (8bit):6.0328472485055205
                                          Encrypted:false
                                          SSDEEP:6144:WxSpnOEgvfV8XO32ZHYHCct544Jd20dHUI/cGMnXOSIDOYvXUqiwrsAtj4hawtah:+jEo9t544Jd20dHUI/cGM6
                                          MD5:B23960264D44FC1F13250213106DC184
                                          SHA1:014D92C4DABA21E22D30435719477B6A146259AA
                                          SHA-256:7F7B6D425D87A7D8BBA1625CEDAAF0D9CC9B92AC9CA4ACA05B53820CD818A0D9
                                          SHA-512:45FA43135A66878B6E2B3352AF7DC13F9BC867F53067DBBCBB4A8AD6D7F7ED074EA60986F9E105C8896E8BF64C9089146124977CEF2AE5F6451FF562AD725A9B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i...`...a...;..~...;..a...;..k...;..m..."...k.......o......l...i.........a......h.....n.h......h...Richi...........PE..d......g.........." .....`...........O....................................................`.........................................0F...N...........p.......P..................................................(....................p...............................text...+_.......`.................. ..`.rdata.......p.......d..............@..@.data...p....0....... ..............@....pdata.......P.......*..............@..@.rsrc........p.......>..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\CC_FBO_LIB.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):33792
                                          Entropy (8bit):5.544702627865242
                                          Encrypted:false
                                          SSDEEP:768:TLAqRG/xoIUEVsaZ69deagBin87Z2c4AbGP:TK/xotEVtZ69kagBin87Z2cfGP
                                          MD5:C960C48DE097FD3C2BA3B43C095CE388
                                          SHA1:A4551EEF2EBA4A4EE4A6EC83A5953F63CE3BE0C6
                                          SHA-256:1D0F01ED76CE83AC277BF2260575FE47F3910E2CBA4C5A26F90F811E902962D9
                                          SHA-512:A3ACD232B28922C4C40A9BE09C002445E6384119A2937361E1C7ADA577924C6CB7B40053A06D9F433CE5660AFEFF5EC23853304C1102BAA45ED8B49583461183
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G.............................................................................8......8......8.l.....8......Rich............PE..d....2Kg.........." .....4...R......L4....................................................`..........................................m......8x..................d...................0\..............................P\...............P..p............................text....2.......4.................. ..`.rdata..&<...P...>...8..............@..@.data...8............v..............@....pdata..d............z..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\CHANGELOG.md (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):235711
                                          Entropy (8bit):4.881009157481132
                                          Encrypted:false
                                          SSDEEP:3072:VinPJqOuT19YK0ooi4M5Np+FrqzDnBUMvGnkKbAeLqHjawFUPM8CVuH3H32p:L193ou8rqzDLvGxAeODacNTyG
                                          MD5:8FA735FC69E7AE5D70271BA457633099
                                          SHA1:5DFA18BA94398B07728443A951B9BE99857254AB
                                          SHA-256:00A8F881A71EB2B13E18C5D6B1795A7D0D0A1B7A8E7D93753BA843D0D859555F
                                          SHA-512:050228D412EFF4FED36F8EF7D972DEF23EB369139CAB692AEFC83E83A2654C7E5D5E737F8F2160C13E93C8782C9C5283BD4B5D05975BFBAA4684DA6123ED410F
                                          Malicious:false
                                          Reputation:low
                                          Preview:CloudCompare Version History..============================....v2.14.alpha (???) - (??/??/202?)..----------------------..New features:...- Edit > Color > Gaussian filter...- Edit > Color > Bilateral filter...- Edit > Color > Median filter...- Edit > Color > Mean filter....- to improve coloring by applying a color filter.....- New Command line options....- New command -FILTER -RGB -SF {-MEAN|-MEDIAN|GAUSSIAN|BILATERAL} -SIGMA {sigma} -SIGMA_SF {sigma_sf} -BURNT_COLOR_THRESHOLD {burnt_color_threshold} -BLEND_GRAYSCALE {grayscale_threshold} {grayscale_percent}.....- command arguments with a dash can be in any order.....- -RGB runs the filter on color.....- -SF runs the filter on the active scalar field.....- -RGB and -SF can be used at the same time, otherwise at least one of the 2 options is required.....- -MEAN|-MEDIAN|GAUSSIAN|BILATERAL......- specifies the filtering algorithm to use......- required......- only one should be set (However, if multiple are passed, only the first one will

                                          C:\Program Files\CloudCompare\CloudCompare.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3778688
                                          Entropy (8bit):6.381493838760625
                                          Encrypted:false
                                          SSDEEP:49152:46SRSFneW0gGoV8tBB0pgRQBPMmS9BQRCSY0uKBY9zwaSNtASu58JfX/MkjX9F:XFFjByQET9iu8PXjT
                                          MD5:EB6EE54899E763C0C32625847735CB42
                                          SHA1:98DB0FC03A7BBD71901770F9637AA3EB57DC05D9
                                          SHA-256:0FA8364972240178560821D374BDA70A8A5E5B2AE05374E258C9599D8DF4A554
                                          SHA-512:E205199D0AE9A68BDD8E26809D5CC6C8360EA00D9C94A6B53F1B48A6EEC7DF7672062B4A9BF8A3A890D8053E66241464D099520841F647EFD98862AE3AE4AAFC
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......k../~../~../~..&./.#~..}...%~..}...+~..}....~..}...'~..d...+~......~..",a.-~.....%~....."~../~..Up.....u~......~...C..~......~..Rich/~..........................PE..d.....g..........".......!........... ........@..............................9.....D.9...`...........................................3.\X....3.......8.......7.......9..&...`9..i...+.......................+.(.....+...............". p...........................text.....!.......!................. ..`.rdata..b/...."..0....!.............@..@.data........@7..f....7.............@....pdata........7.......7.............@..@.rsrc.........8......x8.............@..@.reloc...i...`9..j....9.............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\DotProduct_x64.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2214912
                                          Entropy (8bit):6.384721005949699
                                          Encrypted:false
                                          SSDEEP:49152:ia4lRuO7XhnHmm4HjrbUABSEIS0Al2wIiXXo:vP8wbX
                                          MD5:DBF3283EE74FACA95837DF0499F2769E
                                          SHA1:A616D088099D914356AFACB1CAD9D7FD6577838A
                                          SHA-256:C1D5952D8C1D258866AD7AA8C4A34E98E3953492093E39B651A8EEEB7B3C2911
                                          SHA-512:A6F928A7C3DCE1F3EFD344ADB31F495E9ACEDAD2735329D9CD26705460F4A1150AFC05B457B7B9166CDB0C2A9F34850FF2FCEBB495A2879AA65D5354F3A7FD52
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......>.4.z.ZMz.ZMz.ZMs..Ml.ZM..My.ZM(.^Lr.ZM(.YL~.ZM(._Lg.ZM(.[L|.ZM1.[L}.ZMz.[MN.ZM.._LZ.ZMz.ZMa.ZM..^LB.ZM..^Ll.ZM..RL{.ZM.._L6.ZM..ZL{.ZM..M{.ZM..XL{.ZMRichz.ZM........................PE..d...p.Uf.........." .................K........................................$.....Uj"...`.........................................0W...P.....@.....#......@"...............$.....h6..T....................8..(....6..8............ ..@............................text............................... ..`.rdata....... ......................@..@.data...@S.......~..................@....pdata.......@"......:..............@..@.rsrc.........#.....................@..@.reloc........$.......!.............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\QCC_DB_LIB.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1405440
                                          Entropy (8bit):6.457300172251594
                                          Encrypted:false
                                          SSDEEP:24576:YF/mgRJ1GjiW1J/ZtHWTbFBy8L1OXerAKmj1l5+Fbya8q2eE:M2ZtHWPFByPP5+FbyFe
                                          MD5:9421DE1243DA93AC477AC5333AC04406
                                          SHA1:1098DFFC6F5955E00C2886E912FB17EC0C849A46
                                          SHA-256:7F6D8D720DE4720BDC0796D1AA1965E88CBA718BBEFF0C8ADA30987D6219C4A9
                                          SHA-512:0911FC373F6BBA0E0A5550A273C9D5125475C77E0983828EADE7C4A9358433884A07727E8EFA276F2423E83B652817F0379EA80F2852D8D9F706A75DB85827B3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V6.o.Wc<.Wc<.Wc<./.<.Wc<@?f=.Wc<@?g=.Wc<@?`=.Wc<@?b=.Wc<Y/b=.Wc<.'b=.Wc<.>b=.Wc<.Wb<%Tc<.>f=-Wc<.>c=.Wc<.>.<.Wc<.>a=.Wc<Rich.Wc<........PE..d....g.........." ................`.....................................................`.............................................4...$...T...............d............... >..............................(.......................(............................text............................... ..`.rdata..............................@..@.data....Z.......4...h..............@....pdata..d...........................@..@.rsrc................0..............@..@.reloc.. >.......@...2..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\QCC_GL_LIB.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):326144
                                          Entropy (8bit):6.195700191357499
                                          Encrypted:false
                                          SSDEEP:6144:aiEihwMr/RYZfJTW3z9EVWJ9nB5ouD0K+6nkZRAAB5Ohl0omBEV/jVq9mUT74Rsx:aiEiOsJatVUEA
                                          MD5:E421801BEAB05A96A041EA2A759D7E50
                                          SHA1:6E6BA8E783E8F4A8E3984A8324D353D56F360AE8
                                          SHA-256:9E3B73B7395CF53942CE363FC69A825B53534703920691D38E97BD84C08825F8
                                          SHA-512:7DC1D88B8E5BD519887BD9DDA2700EBE7AB8647DB1E8E1B56D749EA670F91D451BD7DC8D0D1C02775F89D4EA108575ECE3A7402B43EE8DF32428F0A6F54AF3FA
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L.|U-./U-./U-./\Uw/]-./.E..B-./.E..]-./.E..W-./.E..Q-./.U..W-./.]..T-./.]..S-./.D..R-./U-./.../.D..]-./.D..T-./.D./T-./.D..T-./RichU-./........PE..d......g.........." .....v..........$[.......................................@............`.........................................0... q..P........ ..........l............0...... .......................@ ..(...@...................@............................text....u.......v.................. ..`.rdata...J.......L...z..............@..@.data...............................@....pdata..l...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\QCC_IO_LIB.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):803328
                                          Entropy (8bit):6.301764713308598
                                          Encrypted:false
                                          SSDEEP:12288:zi/B1Q7qKbhpvjs13V8nt0aG4m5UTmSpN2oyIKefN/4:zSB1Q7qK1pMktxQUT3v2XI9/
                                          MD5:65E878BE5E621489342B5369D2CD446D
                                          SHA1:5FE0112DD80BEAFF167212E13DB73335BC1C5120
                                          SHA-256:14DD904B4DF2BC9956EC1719F778E141350913DF097368E77BACE6CA1DC7F339
                                          SHA-512:31AEBFCB29905AE710C33A45A93B9EB28755CDEF47861B22A2854994B6ED634D999E93FDCE55913B218FF1D99290AA68F9CA7F80F9B66A517802495E66EC4205
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........V..7..7..7..O@..7.._..7......7.._..7.._..7.._..7..O..7..G..7..e...7.!^..7..7..1.!^..7.!^..7.!^..7.!^,..7.!^..7.Rich.7.........PE..d.....g.........." .........~.......i....................................................`......................................... .......f..T....P...........C...........`..|...0X......................PY..(...PX...................2...........................text...@........................... ..`.rdata..T...........................@..@.data....*....... ..................@....pdata...C.......D..................@..@.rsrc........P......."..............@..@.reloc..|....`.......$..............@..B................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5Concurrent.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):33264
                                          Entropy (8bit):6.210822520849061
                                          Encrypted:false
                                          SSDEEP:768:zSv+K3b4/Cfg+E2wkjk/+ZW8DT92r+dDGMUf2hKd:Wvm6XS/8FDTsr+PUf/d
                                          MD5:7E40B0FAA08E8F2AD78BE6698225E3E4
                                          SHA1:03332C56E4DCFEFC33BB731133BD3EF71C4CA9EC
                                          SHA-256:2212E66EADD559705E244409354ED264C286A3CAC7A3E511737C3D31E2A0F4AE
                                          SHA-512:A4C545A8B8DAAF6B4321BB51745454B77D1F591C7131F19FDD40BACD943D5074886037CEAE19E7F1515313B0F990E42A83520957CEDF056A39E1EC1E4AFD7272
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................o.....8..............8.......8.......8.......u...............u.......u.......u.........k.....u.......Rich............PE..d...G._.........." .........:.......0....................................................`..........................................N......hW..................h....f..........H... C..T............................C..0............@.. ............................text...}-.......................... ..`.rdata..."...@...$...2..............@..@.data........p.......V..............@....pdata..h............X..............@..@.rsrc................^..............@..@.reloc..H............d..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5Core.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):6023664
                                          Entropy (8bit):6.768988071491288
                                          Encrypted:false
                                          SSDEEP:98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
                                          MD5:817520432A42EFA345B2D97F5C24510E
                                          SHA1:FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
                                          SHA-256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
                                          SHA-512:8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5Gamepad.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):102384
                                          Entropy (8bit):6.0152637062152445
                                          Encrypted:false
                                          SSDEEP:768:xivYT8++UTS1jFHI4XV+2my6cg4ydlgW935aoQL4AikNQsLedDGuUf2hI:YL3b1FHR+U6p4KlT9ESAimFLeFUfV
                                          MD5:AB650B8F02BF49D2FA1C015B8F9B5EE8
                                          SHA1:02A02BD474948E110FA8B25E21E3898776CACCA8
                                          SHA-256:32149ACD851FC37BDC5D1C39E84CCDB9AE4ECAC103BEC628E9C29450381C8248
                                          SHA-512:2A5C7AC3EB09B6F3CCCE3E150A84094CBA2EC1B3CE518F78CEBCE93564E505E42E609B338E9F2D0AD5BAC1A44D328CAA9E20D9082E8C46C988ADC9F4E256CAAD
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\e!...O...O...O..|....O..kN...O..oN...O..kJ...O..kK...O..kL...O.tN...O...N..O.tJ...O.tO...O.t....O.......O.tM...O.Rich..O.................PE..d...<.._.........." ................0..............................................._@....`..............................................0...N.......................t..........x.......T.......................(.......0............................................text...{........................... ..`.rdata..............................@..@.data...8....p.......X..............@....pdata...............^..............@..@.rsrc................l..............@..@.reloc..x............r..............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5Gui.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):7008240
                                          Entropy (8bit):6.674290383197779
                                          Encrypted:false
                                          SSDEEP:49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
                                          MD5:47307A1E2E9987AB422F09771D590FF1
                                          SHA1:0DFC3A947E56C749A75F921F4A850A3DCBF04248
                                          SHA-256:5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
                                          SHA-512:21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5Network.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1340400
                                          Entropy (8bit):6.41486755163134
                                          Encrypted:false
                                          SSDEEP:24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
                                          MD5:3569693D5BAE82854DE1D88F86C33184
                                          SHA1:1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
                                          SHA-256:4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
                                          SHA-512:E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5OpenGL.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):321008
                                          Entropy (8bit):6.4037799339163355
                                          Encrypted:false
                                          SSDEEP:6144:dtqkKC7BjQV5eR1b+yRWsJQnNfckNI+STEDC4nkml+T/6qhdDqvJbb9fv:HRFe5en+gWUCNTF9fv
                                          MD5:B1F29EA399C173C50C64FFCA5F13DC7F
                                          SHA1:4A039AFF59F34BAE66AA24A0C349059795BF13B2
                                          SHA-256:0E179470446A14C3706182D88FC95E5C066957C3752DEFDD6D3649AE877C87A2
                                          SHA-512:0B95E7209CDBB1E977860E8A41E73C5232E682EF111A34A57762FA6BC83D8C3126BCD38069E1D8FB72703F356608F98C103717377493D41E0F4EB5CAA024D79B
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..{...{...{...r.w.s......y...o...y......m......s..............|...{...W.......n.......z.......z...{.s.z.......z...Rich{...................PE..d...2._.........." .....Z...v.......\..............................................X$....`..........................................6..........................0-..................H...T.......................(.......0............p..p............................text....X.......Z.................. ..`.rdata..4#...p...$...^..............@..@.data...8...........................@....pdata..0-..........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5Svg.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):330736
                                          Entropy (8bit):6.381828869454302
                                          Encrypted:false
                                          SSDEEP:6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
                                          MD5:03761F923E52A7269A6E3A7452F6BE93
                                          SHA1:2CE53C424336BCC8047E10FA79CE9BCE14059C50
                                          SHA-256:7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
                                          SHA-512:DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5WebSockets.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):149488
                                          Entropy (8bit):6.116105454277536
                                          Encrypted:false
                                          SSDEEP:3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
                                          MD5:A016545F963548E0F37885E07EF945C7
                                          SHA1:CBE499E53AB0BD2DA21018F4E2092E33560C846F
                                          SHA-256:6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
                                          SHA-512:47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\Qt5Widgets.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5498352
                                          Entropy (8bit):6.619117060971844
                                          Encrypted:false
                                          SSDEEP:49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
                                          MD5:4CD1F8FDCD617932DB131C3688845EA8
                                          SHA1:B090ED884B07D2D98747141AEFD25590B8B254F9
                                          SHA-256:3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
                                          SHA-512:7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKBRep.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):848624
                                          Entropy (8bit):6.226073557201281
                                          Encrypted:false
                                          SSDEEP:12288:glSRkt/ADhUy1qHvH5Bv+lO5h6n288n7BDtxThD+10:g4Ryy1qHBBv+l668n7jxm0
                                          MD5:09384FAE658A7566655E76C32DDEF653
                                          SHA1:FD16FD1A7504EFA9B1A17FDDE897141985271F32
                                          SHA-256:4448C09C7A0CF3A18DBCA33C7F889CD36D5192D668EA2ACBB4A4E65261F731AD
                                          SHA-512:52DE1C06DA4E2D3DD5F570A06E87F3AB703FC4578CE7D14A68108EE6BE7DD1563D1785BC8DAF107BCC18D7073C10CE45C2B06968FE3249322C431C06C8CE6295
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c...........................................,.......4...,......,.....,.........,.....Rich............PE..d....d._.........." .....>...........|....................................................`.....................................................@................M.................../.......................0..(..../...............P...............................text...L<.......>.................. ..`.rdata..N....P.......B..............@..@.data...x2...`...(...L..............@....pdata...M.......N...t..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKG2d.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):305392
                                          Entropy (8bit):6.242398831287072
                                          Encrypted:false
                                          SSDEEP:6144:zXvA6GWLMKIhiovzNWUbtQ0Q8L/hFHC7p:zXo6GWgsov9ZrQ8bhq
                                          MD5:3CFDE799979AB3BDDD93FFD46A375CD0
                                          SHA1:AAE44FC249918CE86ACA050D3FE7311C2FFC0C80
                                          SHA-256:83CF481C9AFA319C573BF642BC2271CD65C5435076A3BF99ECE9FB53C52A35D2
                                          SHA-512:5C355324802D80A97E3EAC823430C1E7E1D177AF562AC11B94E978450C789BBFBBB32A9DC01CB530764F0E5C114FBDE8D9F4370DE2FA19DBA689B0BBEF7E80F6
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w...$...$...$..a$...$...%...$...%...$...%...$...%...$...%...$S..%...$...$'..$S..%...$S..%...$S..$...$..e$...$S..%...$Rich...$........PE..d....c._.........." .....N...B.......%..............................................j.....`.........................................0m..(...X....................$..............D...P.......................p...(...p................`...............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data........`.......H..............@....pdata...$.......&...X..............@..@.rsrc................~..............@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKG3d.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):905456
                                          Entropy (8bit):6.410762946527034
                                          Encrypted:false
                                          SSDEEP:12288:aynKy8oJXHlyEolsglxb/Gj53/vpZcZjlIcPX3NDdpMEZhJeuv:ayXFyEoLk5+tn
                                          MD5:FED654B78DC2EF46288A50A506AD024F
                                          SHA1:DA1159917FF8E03451A9CEE0A7C26C09D838BDF8
                                          SHA-256:C64245CB6606570963F243F538F83A42EB04D280A6AECFAF6F71BC83D36E7159
                                          SHA-512:B9DBD4CA4EB9941FD5C9DC132C447D5A118DBDA586514AF2289807E4D817E120F4EAEB3CF9D3BDB019A5FAF6AC15B5CE8A5541E6233A7536568C88AB46BBD601
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=...y...y...y...p.......+.a...+.q...+.z...+.}...".{.....~...y...$.....".....x.....B.x...y.*.x.....x...Richy...........PE..d....c._.........." .....h...R......t...............................................5.....`..........................................$.......................p...Z..................._.......................`..(...._...............................................text...Ff.......h.................. ..`.rdata...............l..............@..@.data....#...@.......*..............@....pdata...Z...p...\...D..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKGeomAlgo.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3815664
                                          Entropy (8bit):6.407256607167561
                                          Encrypted:false
                                          SSDEEP:49152:+/uSVZLrvrTX30234JyyeZBzswYE9/EtYqJ9er/2CFCpJq:+/FpZBzOmr2CMpc
                                          MD5:9B65E7DC2CF1D85C62CF858E45B74E79
                                          SHA1:9ECFABE63716F9F270F2DC15BA2DB189BDAE7ED9
                                          SHA-256:9628E99890E59FDC11A6AA6351CEE7EFCC0AB96DB1A5A75B0EB986A5A64D14ED
                                          SHA-512:EC0F1B3D537AF6C7FD3C75E89A187BAAA15700E9A35D871636AED4B202C5AE7F800174EB2F3262ED90CEA8450ED15EADB69D89709F339C02610DEC60689361B2
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.m.....................F.......F.......F.......F.......O.........................y................................Rich............PE..d.../d._.........." ......*..........u'......................................`:......0;...`.........................................pV3..#..|y7......0:......09.(.....:......@:.X...@0,.....................`1,.(...`0,..............0*..&...........................text...6.*.......*................. ..`.rdata..J....0*...... *.............@..@.data...0`....8..T....8.............@....pdata..(....09.......8.............@..@.rsrc........0:.......9.............@..@.reloc..X....@:.......:.............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKGeomBase.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3783408
                                          Entropy (8bit):7.082603044017435
                                          Encrypted:false
                                          SSDEEP:49152:DvGbhb3gARA+DORgiDVVqWRcBP3Par9P8jtP8T4sLrM5up7PA:64NhRcBP3Par9+U0uhA
                                          MD5:2884F95C5C51B793A16C822F6865D468
                                          SHA1:40A6614137E528E76C78900E234AB31F5A76AF3E
                                          SHA-256:A58CF1A96B6073777C8C25C162692F4706B95428AD98A9BAD9D08E697E204125
                                          SHA-512:FCB46F404C405C5EEC13F223DB59B5144B4F4E6DE6777C671A5164283D278A13571472E35055A93BBC902933042AF894D6BBF2A1932BACBBB12D510403D2CEA5
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......uA.1 ..1 ..1 ..8X..9 ..cH..9 ..cH..2 ..cH..- ..cH..5 ..jH..3 ..I..8 ..1 ...#..I..+!..I..0 ..I~.0 ..1 ..0 ..I..0 ..Rich1 ..................PE..d....d._.........." .........R.......B....................................... :......V:...`..........................................b0..&....3.......:......09.\.....9.......:.D...0.+.....................P.+.(...P.+.................`............................text.............................. ..`.rdata..2...........................@..@.data...X.....4..P...t4.............@....pdata..\....09.......8.............@..@.rsrc.........:.......9.............@..@.reloc..D.....:.......9.............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKMath.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1674992
                                          Entropy (8bit):6.693921548534279
                                          Encrypted:false
                                          SSDEEP:49152:v0BOonBew9Ic4GrEoh9ald5RYaHOakyGCgKqHUWleD/SSrWZp:MnnrmvzgAXgp
                                          MD5:8AE454F4BF46749D2E326E66934BFC39
                                          SHA1:8998065CC8331982EB1DC7FA369BA366E114B302
                                          SHA-256:3CA6E5F349545FE2F7A11617CB082F4B60EF373A2702FA24CF4C2F88D8C5EA8A
                                          SHA-512:CBC35391B1C3FF074111B565BCF2CCE0D6C2C010FE2B4CE245531E33702F4B0F9538CB4B23AFBF632B1A18A0C176305491258DD678D08605957D0186DE38C98B
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................!%E.............................................L.....o.................}...................Rich............PE..d....c._.........." .....4...L......ps...............................................?....`..........................................3...K..T........................r..........l... ;......................@<..(...@;...............P...............................text....3.......4.................. ..`.rdata...^...P...`...8..............@..@.data....A.......0..................@....pdata..............................@..@.rsrc................\..............@..@.reloc..l............b..............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKMesh.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):638192
                                          Entropy (8bit):6.121612263603408
                                          Encrypted:false
                                          SSDEEP:12288:aeAClh/JUd4/0OHSsecsFJPNK3jNeJVhoo:ZACl10OHSs4PNKxsgo
                                          MD5:30035261439F666D41E3A8E851379EC7
                                          SHA1:16BB1176D6775EB1771477AE7CCF79759CBBE2E7
                                          SHA-256:CEC70C7601106FFA9F22BC316F6B56B356D3986EBB1846E85E5D8D70AAAC07F2
                                          SHA-512:117CF2E52F9F5798E19A6D9CD90E525EAE5998BEBBB49C8F8B961E45AD0121CC24F1615214E3D9E35D7A581EDE7E29365ABBAE402FC2CD7715FF6828599AEAD2
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0}=.Q.n.Q.n.Q.n.).n.Q.n.9.o.Q.n.9.o.Q.n.9.o.Q.n.9.o.Q.n.9.o.Q.n]8.o.Q.n.Q.n.P.n]8.o.Q.n]8.o.Q.n]8.n.Q.n.Q.n.Q.n]8.o.Q.nRich.Q.n................PE..d...Yd._.........." .....d...D......................................................8+....`..........................................<...y..d....................E...................F.......................H..(....G...............................................text....c.......d.................. ..`.rdata...............h..............@..@.data....`.......V..................@....pdata...E.......F...F..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKSTEP.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2697456
                                          Entropy (8bit):6.294325960113847
                                          Encrypted:false
                                          SSDEEP:49152:tYFO3e6YpwBhqben1GtA+6pf2v7+zxUZUM/SRCJg7E661CebH2DOz7JsFWRZ2:AUMyDO3Ji5
                                          MD5:17571E2B575C43E910C8308A447EFAA5
                                          SHA1:EE605C41D4F11F2E6C489F613D7907CD442F0813
                                          SHA-256:8A7DF7EA0CD8EAEB38D354E3F0B1118A530580F23ED933DDCF28547701F72C55
                                          SHA-512:A3F4F9B5FC3B25C8082B85B06858DEED2AC24111214317F263A4D51F2DB15522C7EAF12A4CBB5882406134135D8F1F771D8ACD4FF86F6B87CC1CE88772EC5154
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.....&...#...&..."...&...%...&...'...&...'...&...'...&...'.R.&...#.s.&...&...&......&.......&...$...&.Rich..&.........................PE..d....d._.........." .........,......\,........................................).....}.)...`................................................h........P).......(.D.....)......`).X...............................(....................0...............................text............................... ..`.rdata..$:...0...<..................@..@.data...x....p'......R'.............@....pdata..D.....(.......(.............@..@.rsrc........P).......(.............@..@.reloc..X....`).......(.............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKSTEP209.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):471792
                                          Entropy (8bit):6.133406334839098
                                          Encrypted:false
                                          SSDEEP:6144:/C9mSwGqUtU6NFPIOWIhz8qtQej4gFlShFXA58+eIVPV/RrQp8XWLSZbRc:/2wGqKUyZ1zeYMKB+
                                          MD5:81C31E22F2EA4AD7D6512A00E276EAC4
                                          SHA1:7D95F2E547D177BA258E75E29D9D2B0C4C9A9287
                                          SHA-256:088446600B5947744066887DAF19E2562DCCA797A7E83F34BC474645C57DEF7E
                                          SHA-512:FDA5D99B69551755663540022F0E0468BEB289683F35D300D809DC35A2C9A63447AE24FE335DFEFB9DD6561B1917377C9525D94181F2F0E81462F045844497F2
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................$.......................................................".............H....... .............Rich............PE..d....d._.........." .........................................................`............`.........................................`.......X........@...........,...........P..................................(....................0...............................text............................... ..`.rdata.......0......................@..@.data....5.......*..................@....pdata...,..........................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKSTEPAttr.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):731376
                                          Entropy (8bit):6.179937626354653
                                          Encrypted:false
                                          SSDEEP:12288:r+VjdxvoKGf8vRRjggGQiaaNaRn+LEk33zTL5XcqNO3rX6/3TW+17T+SrdqJzUXZ:r+Vh9UkvRRjggb/aI+LEuBJpdq1YZ
                                          MD5:6AC7AA6A96EBB68D537099127715E551
                                          SHA1:343CF0E56413973A89FE82652A69FA9FE756E4B7
                                          SHA-256:DCD64A0F526F2B42D3052B239900D46FFE5D081F9C456A770A770A153AD4187D
                                          SHA-512:7E194AEFF72EE3632CBE8AB8D0A988A025B7780A3B3EC8729817E3C468B63BF9C0DE9B82C4BE66D8BD96FC4D091B8C06AD912A19CDE0D76DA2649BA226F84083
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .2}dp\.dp\.dp\.m...bp\.6.Y/|p\.6.X/lp\.6._/fp\.6.]/`p\.?.]/fp\...]/cp\.dp]..p\...Y/Cq\...\/ep\.....ep\.dp..ep\...^/ep\.Richdp\.........................PE..d....d._.........." .........,.......f.......................................P......*.....`.........................................P........G.......0...........E...........@.............................. ...(... ...................P............................text............................... ..`.rdata..X~..........................@..@.data....S.......B...r..............@....pdata...E.......F..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKSTEPBase.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1703152
                                          Entropy (8bit):6.263930597929995
                                          Encrypted:false
                                          SSDEEP:49152:zjIvfo41bZFaxoVEbck8vlXlq00MBdCHa4wceTlBKB4WBlz1/w2SvpNiX1nOrw2x:skzc
                                          MD5:4FB0AC0BE1DE51903B251B3BA7842A9E
                                          SHA1:6A27E35545C900D0480241FBC5D4EDB87AB50574
                                          SHA-256:83DB54F529B47A8E8E1A4B898AD64FD9F4B6A5D96829DA183EA650154AD132F3
                                          SHA-512:C883F31B18D172768C7B47EB0F62F45C166ACDB28B83B0D4D8137A61F12DA6F50D9B26B63410435B09F2D5EE98C958E4A1116098DE3AA47EAC41B66D5FEF6F93
                                          Malicious:false
                                          Antivirus:
                                          • Antivirus: ReversingLabs, Detection: 0%
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.P.p.>.p.>.p.>.y..v.>.".;.i.>.".:.x.>.".=.r.>.".?.t.>.+.?.r.>...?.u.>.p.?..>...;.r.>...>.q.>.....q.>.p...q.>...<.q.>.Richp.>.........PE..d....d._.........." .....&..........T........................................`.......o....`.........................................`......8........0.......................@.......F.......................G..(....F...............@...............................text....%.......&.................. ..`.rdata..l....@.......*..............@..@.data...........p..................@....pdata..............................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKShHealing.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2577648
                                          Entropy (8bit):6.18813475149753
                                          Encrypted:false
                                          SSDEEP:49152:3CGX7lSpFVYjlpLkiEtxcnPOjk91JQagBeqcMr8Trq9b:VsNrd9b
                                          MD5:108A3C3D5C16D20DB13B6800670BFC54
                                          SHA1:A23BA534B81502712956147185B1F15C2E2E80E3
                                          SHA-256:5A558E3AE5762EBFF3AB15A5B60FE4F45AA05EEC4A292EDBB1A2FE5E9A4AE605
                                          SHA-512:B04C83CF22416F92214CE8213E7AF841BE5952091245A6844E92028D8C9C88C319C3596A335CD2E345DDEEE9A42EAAB702B5F5336E6A2CA8F74BF98782B61938
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.<X?.oX?.oX?.oQG=oP?.o.W.nA?.o.W.nP?.o.W.n[?.o.W.n\?.o.W.nZ?.o.V.nI?.oX?.oF;.o.V.n7?.o.V.nY?.o.VQoY?.oX?9oY?.o.V.nY?.oRichX?.o........................PE..d...Ud._.........." .....L..........@........................................p'.....\.'...`...........................................#....`?%.@....P'.......&.....8'......`'.`........................... ...(... ................`.. !...........................text....J.......L.................. ..`.rdata..@....`.......P..............@..@.data...(F...`&..:...N&.............@....pdata.......&.......&.............@..@.rsrc........P'......$'.............@..@.reloc..`....`'......*'.............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKTopAlgo.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2326768
                                          Entropy (8bit):6.265149852539151
                                          Encrypted:false
                                          SSDEEP:24576:yPf0xVJnPKKuk6Fcg0UR/GHLv/8Cncx60IBSdDq75z8KIVZDba7JpNVs2SRPX:yPoJCKuJFsUR/m09IB8cuKIL/QJpNYR/
                                          MD5:FDDCFABB82A4BDF771B9C8504DEF8211
                                          SHA1:FA28EAF5D24A510A53CA3739BB533A5EBA200FF3
                                          SHA-256:B0F29826C1EC3AC4C8FB781D153084018ACE637FB7085FFA525483BCBF144FDE
                                          SHA-512:D3DFBF7524F2F0A4597FCE9E1D59AA393485FE1D0DF400DA176BE4D76C628D1D47C2AE9038B908BF6C487B4F66083E586C3AA1023D6D16F4CCDC270C272415A8
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d>.. _.. _.. _..)'a.(_..r7..(_..r7..#_..r7..;_..r7..$_..{7.."_...6../_.. _..[...6.._...6..!_...6..!_.. _e.!_...6..!_..Rich _..........PE..d...1d._.........." .....z..........Xw........................................#......j$...`..............................................>...=!.,.....#......."......d#.......#.................................(.......................P$...........................text...vy.......z.................. ..`.rdata...............~..............@..@.data....Y...p"..P...Z".............@....pdata........".......".............@..@.rsrc.........#......N#.............@..@.reloc........#......T#.............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKXSBase.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2117872
                                          Entropy (8bit):6.289461121862461
                                          Encrypted:false
                                          SSDEEP:49152:MQ1PhsCh07gUJLD1y9Ez64XBOMSeMxHwdeLz/4pBbfqR+z6Yb7vQ1f5Ppm7HcIhp:w9Nr
                                          MD5:FEDAE2A00AEAA26418123C7607F8913D
                                          SHA1:112E8FEBD96880D7DF3EBD034AFEBF52A905B25F
                                          SHA-256:A96F624E8AD557F28A35C2B08CC238F4760FF73117932C473EB6AC94359B4D00
                                          SHA-512:10BD032039CBF8427B8FA97860D226360C10F1419AA48720474F49DD2BDB7CD5972A2C776CFA369D429FE957BE617A01E7999ABBE9C6E585BDFB7B9F005BBBCE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................V...............................5........ ..5......5.....5.:......R....5.....Rich...........PE..d...Xd._.........." .....,..."................................................ .....p.!...`.........................................`5...h..X...|....` .........(....4 ......p .....`...........................(....................@...............................text...@*.......,.................. ..`.rdata.......@.......0..............@..@.data....l.......P..................@....pdata..(............F..............@..@.rsrc........` ....... .............@..@.reloc.......p ....... .............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\TKernel.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1728752
                                          Entropy (8bit):5.177332416676532
                                          Encrypted:false
                                          SSDEEP:12288:XjIJQx+Njd+rxP+vzLCqq98daeRsu+y9RNiZSMsV2JNs04Wchnn9c7gQ7vDorJap:Tf+Ncx2zLCqiOaEL9biZ6MJNQ8orSUk
                                          MD5:3539141FFDA9CAE0C77131AEBA50A114
                                          SHA1:EA31877537A80E499C33811C10C66314D0C51B04
                                          SHA-256:047DFADDB4285896FC4AE8905114F9FE5808868B94CA34828FBDFC42135C747B
                                          SHA-512:9703E1BB77065773953C1F946786D661158D8DDF4DD07AC2E5C9673C87DB0198AFB6FA737BF0BDFDF7F5BA5A6FC1F6AA8E3B4DF4A2D635DEB79F9C9D0BE1F6DC
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y...y...y...p.6.m....'b.x...+..q...+..z...+..d...+..}......}..."..p...y..........x.............x.....Z.x...y.2.x......x...Richy...........PE..d....c._.........." .....z...<......`................................................,....`.........................................p.......T...|............@......D...................................... ...(... ................................................text....x.......z.................. ..`.rdata...............~..............@..@.data....#..........................@....pdata......@......................@..@.rsrc...............................@..@.reloc...............4..............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\avcodec-60.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):82336768
                                          Entropy (8bit):6.709624515309904
                                          Encrypted:false
                                          SSDEEP:1572864:KiySAJLva8soisRmwdcYS/aEHBt6w5Hnflkg+rkVRJsZRw+cJfagAoCFh4:KiySAcsc
                                          MD5:DC7F54B9AC3196E0D0775FA80F0FB6D9
                                          SHA1:475C7CB7CF74FA6014F12A26D169718FC5C377D5
                                          SHA-256:608C17870EA5F801959859639207F2A4DE581F16FD78C7BBD67E7B42377EFFFD
                                          SHA-512:5232D8993177281D7650C22D8E15EEA0DF58D6A70A7279EDEC28E53A94BA764DEB210A32FE963320EDC571CE9D24CB90A3AC4882E5009DAEE191A3AB957CB00E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*.....X......0...............................................r.....`... .......................................|.=$....|..\...P}..........?...........`}..a..............................(...................@.|..............................text...P...........................`..`.rodata.0`.......b..................`..`.data...@....0......................@....rdata........$.......$.............@..@.pdata...?.......@...r..............@..@.xdata..T...........................@..@.bss.....................................edata..=$....|..&...n..............@..@.idata...\....|..^..................@....CRT....p....0}.....................@....tls.........@}.....................@....rsrc........P}.....................@..@.reloc...a...`}..b..................@..B........................................................................................

                                          C:\Program Files\CloudCompare\avformat-60.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):18416128
                                          Entropy (8bit):6.683302926545402
                                          Encrypted:false
                                          SSDEEP:196608:zMYiFS3ke63qeMs+eBH0Xbr8EYriPyv81djl1xV57VB:zMa3kLBH0rr8EYriqv4dRN5f
                                          MD5:36A0558B4768FC872970E6DF3D80E344
                                          SHA1:567EB56023D3CE1676B30F1087C3BB6182CFDAB0
                                          SHA-256:8154BAA7A6C1DFEAD2CB0EB27FEAF9568BD2AAABA0F53A6AAEE75705BF807E3A
                                          SHA-512:32B0EFD65869A622AAF12451D234A49DE4B159B07297813A72B9019BB56EF0D990C9308630262C5FB4C73455A04B0CC46CB81B828BA627B93B120DBF3283FB3C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*............0.........................................&.....\.....`... .......................................#.(.....#..z....$.........@.............$.|h..........................@<..(.....................#..............................text..............................`..`.data...............................@....rdata....9..P....9..6..............@..@.pdata..@...........................@..@.xdata..H~...........z..............@..@.bss......... ...........................edata..(.....#.....................@..@.idata...z....#..|..................@....CRT....`....`$.....................@....tls.........p$.....................@....rsrc.........$.....................@..@.reloc..|h....$..j..................@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\avutil-58.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):2652672
                                          Entropy (8bit):6.5100737069425705
                                          Encrypted:false
                                          SSDEEP:49152:/drr5uORwWnFgekvnXCkqbPnVc/t93AnL2:dr50D+6th22
                                          MD5:3E6E3F672ED39CBEA7F7FC594BA65167
                                          SHA1:B2EC77464A04ABAA60CC3AEF232A01D302117FDB
                                          SHA-256:73124B69D6F3C54AFDAAB9CDE89656F415923119ACCDCF918ECDD47F78FB0210
                                          SHA-512:54CB29B1D2978886934B9181FA011EBF73427EA306D67DD4D920ECF57002DE636194FBCE53B9D94D0FD796D2CDD35E942619672442AB2A6A4D7F4E54CC35E724
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*.N...v(.....0.........................................).......)...`... .......................................)..D...`)..)....).......%..*............).l.............................#.(...................Pj)..............................text...0M.......N..................`..`.data....*...`...,...R..............@....rdata...j.......l...~..............@..@.pdata...*....%..,....$.............@..@.xdata.. ....0&.......&.............@..@.bss....0.....'..........................edata...D....)..F....'.............@..@.idata...)...`)..*....(.............@....CRT....`.....)......B(.............@....tls..........)......D(.............@....rsrc.........)......F(.............@..@.reloc..l.....)..0...J(.............@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\concrt140.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):332568
                                          Entropy (8bit):6.217408928777197
                                          Encrypted:false
                                          SSDEEP:6144:tlBybiGsY4lxA6c40PMjoTrDPbv+Xipv6wfnWzgcpw2eRJ:tWbzsBcPPlbxpvIzQT
                                          MD5:1028995446D0032530461BE30CA98F48
                                          SHA1:18446678152E9997EED9C02995F957D58A8E8F32
                                          SHA-256:D404B49C25CC76DC4C86E1D82FC23799482F6509E85A73ED8177EFC320EC0195
                                          SHA-512:ADB9AE577F082E0246CAE5C804FA4CD08BCF54CE78EACA02D49B9B1B262779667A251E98CAE807AFF50FDAC504B8CD855CE4D786F587D02E0A18F6AC8E0D882E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\...2Q..2Q..2Qo..Q..2Q..Q..2Q..3P..2Q..3QR.2Q..6P..2Q..1P..2Q..7P..2Q..2P..2Q...Q..2Q..0P..2QRich..2Q........................PE..d.....0].........." ................................................................b.....`A........................................P....M..\Z...................6.......A......|...@l..8............................l..................`............................text............................... ..`.rdata...k.......l..................@..@.data....9...p...2...V..............@....pdata...6.......8..................@..@.rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\expat.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):137216
                                          Entropy (8bit):6.225171524893703
                                          Encrypted:false
                                          SSDEEP:3072:oeFPoVRx1tgigeosf1bt3eCwpQ6qPNq9K00mp7k43MnVA8ESgS45P04X:Ve1tgigeosf1bt3eCwC6KqkdA8ESgS45
                                          MD5:BE0ADCA466744EBA777289419966C0C7
                                          SHA1:7D2FFA0BED0B7DA841E58AA61C42E435D78E7E9B
                                          SHA-256:216992614BDCE256C01DC9B7FF6085C597E50B8024E67AAE5FE35B47BE318240
                                          SHA-512:F41DEF9F228CB7E6DF019E7B089F6C3E9453716237AF11B5B30162892468C38D34234DFCD72AE6E25C66CFA25C48165ECBA9E48D54DD38CC72F60CD97F8672EA
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..^.~.^.~.^.~..R..].~..R.._.~..R..U.~..R..\.~.....\.~.^...z.~.SQ..[.~.SQ.._.~.SQ.._.~.SQ.._.~.Rich^.~.................PE..d...@4.T.........." .........~...............................................`............`.................................................$...<....@....... ..l............P..........................................p...............(............................text...;........................... ..`.rdata...P.......R..................@..@.data...............................@....pdata..l.... ... ..................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\freexl.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):64000
                                          Entropy (8bit):4.918600259690758
                                          Encrypted:false
                                          SSDEEP:768:k2PM9rCwnTNtag/Zbf7dOtx+3pg+2iQ6gPSN9uDsH9g+tRc:kP1n7gDnSL9g+7c
                                          MD5:1B5BAF09EBE88108D5DA26C0E0514875
                                          SHA1:5D1EE37B752D603991999BD7C0434B5FCD428E38
                                          SHA-256:24D9A38A0E090E2D50BFAAB9B5BDA9A753BCCB3770C7751CB81BB15BCEDF47FF
                                          SHA-512:F50539A482BBA73CA8C5B38E9C55F16FCE0111091187B90D8AAC5F5A0A6250C2F6F293A97DE499646B5EB8A2D921C034B0EE163E97E60C0DFD339BC3B9436562
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E...+...+...+.| ..+......+......+.....+.....+.......+...*...+......+.......+.......+.Rich..+.........PE..d...._.V.........." .........>...............................................0............`.........................................p...........P............................ .. ...`...8...............................p............................................text...y........................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.idata..............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\gamepads\is-L18HT.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):32752
                                          Entropy (8bit):5.873520436484058
                                          Encrypted:false
                                          SSDEEP:384:VTMA5mqtXQltClg86LgCo0dJiHv08Ekjjj+fv0dDPFcqtVxtndDGulpDgf2hU:VjklNgO8HcY3+fctuqtVTdDGUpUf2hU
                                          MD5:97AE1E19B9755ED28E3F3F39AAFD5E55
                                          SHA1:4D7412C943B6AB07DA2582228A770A2FCF2E22E9
                                          SHA-256:AEBEA1CDED11CABB53F6545A55E82C90A969AD3AC6E88E9841399C297861E5D5
                                          SHA-512:9517727BE77422956FFD65AB43F3206132A6D079E8A03C30AA0836AE412B52AE5976D905443F91F1CE79E2526AA1630B651BBD59CF47FFF59D20A9F08CDB4B66
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=J.=y+zny+zny+znpS.n.+zn.D{o{+znm@{o{+zn.D.oj+zn.D~oq+zn.Dyoz+zn.[{o|+zny+{n.+zn.[.oz+zn.[zox+zn.[.nx+zn.[xox+znRichy+zn................PE..d...A.._.........." .....$...B.......(............................................../.....`.........................................0W..|....W..........P.......$....d...............I..T................... K..(....I..0............@...............................text...K".......$.................. ..`.rdata...+...@...,...(..............@..@.data...X....p.......T..............@....pdata..$............X..............@..@.qtmetad.............\..............@..P.rsrc...P............^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\gamepads\xinputgamepad.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):32752
                                          Entropy (8bit):5.873520436484058
                                          Encrypted:false
                                          SSDEEP:384:VTMA5mqtXQltClg86LgCo0dJiHv08Ekjjj+fv0dDPFcqtVxtndDGulpDgf2hU:VjklNgO8HcY3+fctuqtVTdDGUpUf2hU
                                          MD5:97AE1E19B9755ED28E3F3F39AAFD5E55
                                          SHA1:4D7412C943B6AB07DA2582228A770A2FCF2E22E9
                                          SHA-256:AEBEA1CDED11CABB53F6545A55E82C90A969AD3AC6E88E9841399C297861E5D5
                                          SHA-512:9517727BE77422956FFD65AB43F3206132A6D079E8A03C30AA0836AE412B52AE5976D905443F91F1CE79E2526AA1630B651BBD59CF47FFF59D20A9F08CDB4B66
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=J.=y+zny+zny+znpS.n.+zn.D{o{+znm@{o{+zn.D.oj+zn.D~oq+zn.Dyoz+zn.[{o|+zny+{n.+zn.[.oz+zn.[zox+zn.[.nx+zn.[xox+znRichy+zn................PE..d...A.._.........." .....$...B.......(............................................../.....`.........................................0W..|....W..........P.......$....d...............I..T................... K..(....I..0............@...............................text...K".......$.................. ..`.rdata...+...@...,...(..............@..@.data...X....p.......T..............@....pdata..$............X..............@..@.qtmetad.............\..............@..P.rsrc...P............^..............@..@.reloc...............b..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\gdal202.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):18278912
                                          Entropy (8bit):6.415110000021905
                                          Encrypted:false
                                          SSDEEP:393216:EsQdvh76/JkvrxVY2Xkarvb1mTLlMGRhUU6DmA0viO/ilJ85EWlB/jBtLs:chU69GFrn/jBtL
                                          MD5:9B5689B0D551161AEE9D45FE6A438FCB
                                          SHA1:2C435765C66BA18086850EF532BBD08EAB755944
                                          SHA-256:79816E0BA8786690E2C1EE8758D6D64D2B583131934BE2F9E870736C54DA905E
                                          SHA-512:2193ABB629F1F04D4BFEEC4C74416C3E6D45572F9B02A29360FA08A19E17E0149B5A61BCADB92E0E409579C3B2DB08532E7CD2F5C82871D185B71B1616A94694
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........HJ.K)$.K)$.K)$....Y)$..x..L)$..x..F)$..x..O)$..x..A)$.$_..O)$....I)$....J)$....G)$.F{..X)$.K)%.+$.F{..7($.F{...-$.F{..J)$.F{..J)$.F{..J)$.RichK)$.........PE..d......Y.........." ..........l.....@.....................................................`.........................................Pm..u....M..h....... ....P...%..............0...................................pA..p............................................text............................. ..`.rdata....Y.......Y.................@..@.data...0...........................@....pdata...%...P...&..................@..@_RDATA.. ...........................@..@.rsrc... ...........................@..@.reloc..0...........................@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\geos.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1304064
                                          Entropy (8bit):6.3870556331947235
                                          Encrypted:false
                                          SSDEEP:24576:hgar8jZShGQRO0mENxPM6LQtscfMlYiupJjpm:Lr8jZdELPM3jfMlYiuzpm
                                          MD5:CC559D3B8F1F0691DF94A76C5E869D16
                                          SHA1:4CA778423A255EA2F2269E18DDD7AE449E4FB32F
                                          SHA-256:E3DE026BF30FD187C3A893B8489CCD49C265F0747D38BCE0C94782A622D2B9B2
                                          SHA-512:C40516DBAD6E3EC3110A5A078F70F8C525C08CE45F159C1F83D2AC259BD74050A516D7808ECDDD2175343DB6D6945C4286B7FD32EE1F2B96C84A7BE41A2D9A04
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........UbP.4...4...4..e....4...e...4...e...4...e...4...e...4..&....4...4...4...f...5...f...4...f...4...f...4..Rich.4..........PE..d.....T.........." .....|...p...............................................@............`..........................................3..........P............@............... .........................................p............................................text....z.......|.................. ..`.rdata..<R.......T..................@..@.data....C.......:..................@....pdata.......@......................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\geos_c.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):278016
                                          Entropy (8bit):6.002198044760076
                                          Encrypted:false
                                          SSDEEP:3072:0YFEIZkLcSqMJUGotgtsKhXQsYxC50Xj1AWOAPEd:zuLcScGmNlC50Xj1AWOAPE
                                          MD5:5F0D90D65156DB90A2B5D0EC4C3FCFF8
                                          SHA1:D4341CA5CF262DE98EC772C770FA92F4B8E8A9F4
                                          SHA-256:EF215DA0B20F6F46B8FD2D7A557319EB30A1A2B1031D3E4C0B37B1AA4FAC58B4
                                          SHA-512:7C56D8A8FE5890C68F68E685B48E3D956159768FAAF7A27B701A5D62B5F55995E80519F200D8C11B8886165A67961545015438B1B48BA9B9139B4DF6CA6A8FDF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.{.#.{.#.{.E..".{.e...".{.e.....{.e...'.{.e...'.{..... .{.....!.{.#.z..{.....!.{.....".{.....".{.....".{.Rich#.{.........................PE..d.....T.........." .................T....................................................`.........................................`..........d....`.......0..T-...........p..........................................p............................................text.............................. ..`.rdata...R.......T..................@..@.data...P...........................@....pdata..T-...0......................@..@.rsrc........`.......4..............@..@.reloc.......p.......6..............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\global_shift_list_template.txt (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):560
                                          Entropy (8bit):4.819890866613878
                                          Encrypted:false
                                          SSDEEP:12:jXlCrSbfJh+thGLD9nOAVDFexQjl5F+fJIzGIml2f:BCrSzJhWQ39OAVDFxjAJIyIM2f
                                          MD5:69C927B8C88EA2556CA7F0F201ED412C
                                          SHA1:C7E9CEB0568A5040EFC5D44CCE069453A414BE1E
                                          SHA-256:F32EC578A85CF99B4D1ECFA478499889F4155CA7B3B2920094F95DFA30516F26
                                          SHA-512:A3EB4CAEF5B5B1056AAB3ED87022A86CA662668BB8B73DEA2799908B47C2E53C68859567B33AB1B66A822CC2879BE3A834973EB2B01DB25125EE322473C4BC60
                                          Malicious:false
                                          Reputation:low
                                          Preview:// Before modifying this file, rename it 'global_shift_list.txt'..//..// You can place here sets of shift vectors and scale factors (associated to a name)...// Each set (name) will be displayed in the combo-box above the shift fields of the..// "Global Shift and Scale" dialog (this dialog typically appears at import time while..// loading a file with big coordinates)...//..// All values are separated by a semicolon character (;):..// name; shift(X); shift(Y); shift(Z); scale;..//..// Example:..//..// Ankh-Morpork ; -621900.0 ; -5114400.0 ; 0.0 ; 1.0 ;

                                          C:\Program Files\CloudCompare\hdf5.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2240000
                                          Entropy (8bit):6.548212734365113
                                          Encrypted:false
                                          SSDEEP:49152:KJDs2vUNknXd2rb67z46BfyZtvqSI+Gr8Gs7Ts:7mnX9fyHrGps
                                          MD5:027AD255105FC361E9841ED8C696F7BD
                                          SHA1:06FD6FD68C0BCBB78AC9E7DC44172BB2F3865855
                                          SHA-256:F192C3BEA5F560166403114962F30E82F4EF14BF9DF1F0DFB7A06D45BC790080
                                          SHA-512:F27FA2F68FE3C4F7818D8B20BFCE230558CEC82CEA45856159B479CE83CA7300DC0D51FC30E98013A6C18563CAB5443825DEC5E06ECAEF1D3465FBB1134C77A4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...K...K.....d.J.....~.I.....|.I.....C.F.....B.I...F.~.I....Ih.N...K...>...F.C.....F...J...F.x.J...F.}.J...RichK...................PE..d...L..T.........." .........F......<........................................."...........`.........................................P. .P.....!.d....p".......!...............".\....................................4..p............ ...............................text............................... ..`.rdata..8.... ......................@..@.data....U... !..6....!.............@....pdata........!......>!.............@..@.rsrc........p"...... ".............@..@.reloc..\....."......"".............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\hdf5_hl.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):99840
                                          Entropy (8bit):6.070375909397882
                                          Encrypted:false
                                          SSDEEP:1536:gidhTVwoKodN5deiZT++24zVwOe3XSjZ+DNli/xfoCbIhEkiJorBnpL:VhZwoKoXHZTF245wY9+ZlilZVyTL
                                          MD5:A62B144F7018735973AFEE25CA8B6B03
                                          SHA1:71DE842D0ED154C1CDCE145AF4B0389A8B21762B
                                          SHA-256:498C6EEE37060600B84CE9484A707386592C653022AB28CFADFF3B1A168C6547
                                          SHA-512:CB1BBD83627A800A1E6B81D6481DE0C69AC03DCE44F082A1BF6FFCC901C16E07956570FFC5D70D720C4B4696403997F70069DC4750AD30EFD19B817E78679755
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.............m.....K......K......K.3....K.2............2.............3.........................Rich...........PE..d...Q..T.........." ................|.....................................................`..........................................I.......V..P...............$....................................................5..p............ ...............................text............................... ..`.rdata..8I... ...J..................@..@.data....7...p..."...P..............@....pdata..$............r..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\iconengines\is-RRTNV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):41968
                                          Entropy (8bit):6.0993566622860635
                                          Encrypted:false
                                          SSDEEP:768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
                                          MD5:313F89994F3FEA8F67A48EE13359F4BA
                                          SHA1:8C7D4509A0CAA1164CC9415F44735B885A2F3270
                                          SHA-256:42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
                                          SHA-512:06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:*..i*..i*..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i*..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\iconengines\qsvgicon.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):41968
                                          Entropy (8bit):6.0993566622860635
                                          Encrypted:false
                                          SSDEEP:768:VPs5g31JfDgej5JZmA0ZsEEC6lmn+4FdDGimUf2hr:VkC31ee7ZmA+sEEC6lmn+4FOUfc
                                          MD5:313F89994F3FEA8F67A48EE13359F4BA
                                          SHA1:8C7D4509A0CAA1164CC9415F44735B885A2F3270
                                          SHA-256:42DDE60BEFCF1D9F96B8366A9988626B97D7D0D829EBEA32F756D6ECD9EA99A8
                                          SHA-512:06E5026F5DB929F242104A503F0D501A9C1DC92973DD0E91D2DAF5B277D190082DE8D37ACE7EDF643C70AA98BB3D670DEFE04CE89B483DA4F34E629F8ED5FECF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......n.:*..i*..i*..i#.Ei...i...h(..i>..h(..i...h8..i...h-..i...h(..i...h-..i*..i...i...h(..i...h+..i..)i+..i...h+..iRich*..i........................PE..d......_.........." .....@...F.......F..............................................C.....`..........................................g..x...hh..........H...........................xX..T....................Z..(....X..0............P...............................text....>.......@.................. ..`.rdata...3...P...4...D..............@..@.data................x..............@....pdata...............z..............@..@.qtmetadj...........................@..P.rsrc...H...........................@..@.reloc..............................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\iconv.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):914432
                                          Entropy (8bit):7.34282950558293
                                          Encrypted:false
                                          SSDEEP:24576:hznlJ9BAUZLY9uHjGavkg3Ny37mbbTufVbqf:9lJ9BAUZLY9uHjGaXElVG
                                          MD5:54280BD06D5C35DDF1B53091237C9672
                                          SHA1:E2806EAA2319B0728EA93A2C98164066D2955C64
                                          SHA-256:FB4C161160C38531CC4B9B91B2836E5CF62DF7EB095EFDDEFAF433633AE78D54
                                          SHA-512:975ABE5268B003D557C62DA3BEDC8139351F8566238CC02FDD70E57236DD6DAE888909AD48C89CA5652C3D541EEC0404D62B9A52A10932C786AB3643B1CBF425
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|....o,..o,..o,7.,..o,t..,..o,..n,..o,.L.,..o,.L.,..o,.L.,..o,.L.,..o,.O.,..o,.O.,..o,.O.,..o,.O.,..o,Rich..o,........PE..d...e..T.........." ................T$.......................................0............`.........................................p...........<............................ ..8.......................................p............0..H............................text............................... ..`.rdata.......0....... ..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..8.... ......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-367OG.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):39408
                                          Entropy (8bit):6.0316011626259405
                                          Encrypted:false
                                          SSDEEP:768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
                                          MD5:52FD90E34FE8DED8E197B532BD622EF7
                                          SHA1:834E280E00BAE48A9E509A7DC909BEA3169BDCE2
                                          SHA-256:36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
                                          SHA-512:EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............|..............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-44QPR.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):32240
                                          Entropy (8bit):5.978149408776758
                                          Encrypted:false
                                          SSDEEP:768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
                                          MD5:C0DE135782FA0235A0EA8E97898EAF2A
                                          SHA1:FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
                                          SHA-256:B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
                                          SHA-512:7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-7IO49.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):38384
                                          Entropy (8bit):5.957072398645384
                                          Encrypted:false
                                          SSDEEP:768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
                                          MD5:A9ABD4329CA364D4F430EDDCB471BE59
                                          SHA1:C00A629419509929507A05AEBB706562C837E337
                                          SHA-256:1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
                                          SHA-512:004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-7T26D.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):45040
                                          Entropy (8bit):6.016125225197622
                                          Encrypted:false
                                          SSDEEP:768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
                                          MD5:AD84AF4D585643FF94BFA6DE672B3284
                                          SHA1:5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
                                          SHA-256:F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
                                          SHA-512:B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-GFP8L.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):30192
                                          Entropy (8bit):5.938644231596902
                                          Encrypted:false
                                          SSDEEP:768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
                                          MD5:68919381E3C64E956D05863339F5C68C
                                          SHA1:CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
                                          SHA-256:0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
                                          SHA-512:6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-IM3K5.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):31728
                                          Entropy (8bit):5.865766652452823
                                          Encrypted:false
                                          SSDEEP:768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
                                          MD5:A913276FA25D2E6FD999940454C23093
                                          SHA1:785B7BC7110218EC0E659C0E5ACE9520AA451615
                                          SHA-256:5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
                                          SHA-512:CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-KNAC1.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):390128
                                          Entropy (8bit):5.724665470266677
                                          Encrypted:false
                                          SSDEEP:6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
                                          MD5:9C0ACF12D3D25384868DCD81C787F382
                                          SHA1:C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
                                          SHA-256:825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
                                          SHA-512:45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-PJDHV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):510448
                                          Entropy (8bit):6.605517748735854
                                          Encrypted:false
                                          SSDEEP:12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
                                          MD5:308E4565C3C5646F9ABD77885B07358E
                                          SHA1:71CB8047A9EF0CDB3EE27428726CACD063BB95B7
                                          SHA-256:6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
                                          SHA-512:FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\is-SH6IR.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):421360
                                          Entropy (8bit):5.7491063936821405
                                          Encrypted:false
                                          SSDEEP:6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
                                          MD5:16ABCCEB70BA20E73858E8F1912C05CD
                                          SHA1:4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
                                          SHA-256:FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
                                          SHA-512:3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qgif.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):39408
                                          Entropy (8bit):6.0316011626259405
                                          Encrypted:false
                                          SSDEEP:768:ygk2hM0GskFtvPCjEIxh8eDzFyPddeeGvnhotdDGPUf2he:yN2a05kfPOEMaeDzFkddeFnhotOUfh
                                          MD5:52FD90E34FE8DED8E197B532BD622EF7
                                          SHA1:834E280E00BAE48A9E509A7DC909BEA3169BDCE2
                                          SHA-256:36174DD4C5F37C5F065C7A26E0AC65C4C3A41FDC0416882AF856A23A5D03BB9D
                                          SHA-512:EF3FB3770808B3690C11A18316B0C1C56C80198C1B1910E8AA198DF8281BA4E13DC9A6179BB93A379AD849304F6BB934F23E6BBD3D258B274CC31856DE0FC12B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R...3..3..3..KA.3..o\..3..X..3..o\..3..o\..3..o\..3.."C..3..3...3.."C..3.."C..3.."C-.3.."C..3..Rich.3..........PE..d...H._.........." .....@...B.......E...............................................^....`..........................................f..t....f..........@............~..............HW..T....................X..(....W..0............P...............................text...k?.......@.................. ..`.rdata..&)...P...*...D..............@..@.data...(............n..............@....pdata...............p..............@..@.qtmetads............v..............@..P.rsrc...@............x..............@..@.reloc...............|..............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qicns.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):45040
                                          Entropy (8bit):6.016125225197622
                                          Encrypted:false
                                          SSDEEP:768:vEip0IlhxTDxut3dnm8IyAmQQ3ydJouEAkNypTAO0tfC3apmsdDG9Uf2hU:vxvXxgVIyA23ydJlEATpTAO0tfCKpms/
                                          MD5:AD84AF4D585643FF94BFA6DE672B3284
                                          SHA1:5D2DF51028FBEB7F6B52C02ADD702BC3FA781E08
                                          SHA-256:F4A229A082D16F80016F366156A2B951550F1E9DF6D4177323BBEDD92A429909
                                          SHA-512:B68D83A4A1928EB3390DEB9340CB27B8A3EB221C2E0BE86211EF318B4DD34B37531CA347C73CCE79A640C5B06FBD325E10F8C37E0CEE2581F22ABFBFF5CC0D55
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................a....Q........Q......Q......Q......................................Rich...........PE..d......_.........." .....B...N.......G...............................................&....`.............................................t...$...........@...........................xp..T....................r..(....p..0............`...............................text....@.......B.................. ..`.rdata...9...`...:...F..............@..@.data...............................@....pdata..............................@..@.qtmetadx...........................@..P.rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qico.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):38384
                                          Entropy (8bit):5.957072398645384
                                          Encrypted:false
                                          SSDEEP:768:zBXBEfQiAzC9Oh5AS7a3Z5OGrTDeV9mp7nnsWdDGgYUf2hi/:8JAzuOhy3zOGrTDeV9mp7nnsWjYUfz
                                          MD5:A9ABD4329CA364D4F430EDDCB471BE59
                                          SHA1:C00A629419509929507A05AEBB706562C837E337
                                          SHA-256:1982A635DB9652304131C9C6FF9A693E70241600D2EF22B354962AA37997DE0B
                                          SHA-512:004EA8AE07C1A18B0B461A069409E4061D90401C8555DD23DBF164A08E96732F7126305134BFAF8B65B0406315F218E05B5F0F00BEDB840FB993D648CE996756
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........u.G...G...G...N...C......E...S...E......R......O......D.......B...G...........D.......F.......F.......F...RichG...................PE..d...H._.........." .....4...H.......9....................................................`..........................................h..t...th..........@............z..............(X..T....................Y..(....X..0............P..8............................text....2.......4.................. ..`.rdata..B/...P...0...8..............@..@.data...h............h..............@....pdata...............l..............@..@.qtmetad.............r..............@..P.rsrc...@............t..............@..@.reloc...............x..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qjpeg.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):421360
                                          Entropy (8bit):5.7491063936821405
                                          Encrypted:false
                                          SSDEEP:6144:USgOWz1eW38u9tyh6fpGUasBKTrsXWwMmH1l3JM5hn0uEfB4:USPQTnastBRB4
                                          MD5:16ABCCEB70BA20E73858E8F1912C05CD
                                          SHA1:4B3A32B166AB5BBBEE229790FDAE9CBC84F936BA
                                          SHA-256:FB4E980CB5FAFA8A4CD4239329AED93F7C32ED939C94B61FB2DF657F3C6AD158
                                          SHA-512:3E5C83967BF31C9B7F1720059DD51AA4338E518B076B0461541C781B076135E9CB9CBCEB13A8EC9217104517FBCC356BDD3FFACA7956D1C939E43988151F6273
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Iv"...L...L...L..o....L..xM...L..|M...L.......L..xI...L..xH...L..xO...L..gM...L...M...L..gH.?.L..gI...L..gL...L..g....L..gN...L.Rich..L.........PE..d...o._.........." .....b...........i...............................................g....`.............................................t...............@....`.......R..............h...T.......................(.......0...............@............................text....`.......b.................. ..`.rdata..J............f..............@..@.data...8....P.......(..............@....pdata.......`... ...*..............@..@.qtmetad.............J..............@..P.rsrc...@............L..............@..@.reloc...............P..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qsvg.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):32240
                                          Entropy (8bit):5.978149408776758
                                          Encrypted:false
                                          SSDEEP:768:uOVKDlJJVlTuLiMtsKVG7TSdDG9Uf2h4e:hVgJVlTuL/tsKVG7TSQUfre
                                          MD5:C0DE135782FA0235A0EA8E97898EAF2A
                                          SHA1:FCF5FD99239BF4E0B17B128B0EBEC144C7A17DE2
                                          SHA-256:B3498F0A10AC4CB42CF7213DB4944A34594FF36C78C50A0F249C9085D1B1FF39
                                          SHA-512:7BD5F90CCAB3CF50C55EAF14F7EF21E05D3C893FA7AC9846C6CA98D6E6D177263AC5EB8A85A34501BCFCA0DA7F0B6C39769726F4090FCA2231EE64869B81CF0B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........x>...P...P...P..a...P.&vQ...P..rQ...P.&vU...P.&vT...P.&vS...P.kiQ...P...Q.n.P.kiU...P.kiP...P.ki....P.kiR...P.Rich..P.........PE..d......_.........." .....$...B......D)....................................................`.........................................PU..t....U..........@............b...............G..T....................I..(...PH..0............@..(............................text....".......$.................. ..`.rdata...+...@...,...(..............@..@.data...8....p.......T..............@....pdata...............V..............@..@.qtmetad.............Z..............@..P.rsrc...@............\..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qtga.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):31728
                                          Entropy (8bit):5.865766652452823
                                          Encrypted:false
                                          SSDEEP:768:1lGALluUEAQATWQ79Z2Y8Ar+dDG2vUf2hF:TZl/EH8WQ794Y8Ar+hvUfm
                                          MD5:A913276FA25D2E6FD999940454C23093
                                          SHA1:785B7BC7110218EC0E659C0E5ACE9520AA451615
                                          SHA-256:5B641DEC81AEC1CF7AC0CCE9FC067BB642FBD32DA138A36E3BDAC3BB5B36C37A
                                          SHA-512:CEBE48E6E6C5CDF8FC339560751813B8DE11D2471A3DAB7D648DF5B313D85735889D4E704E8EEC0AD1084AB43BE0EBDFBACD038AEAC46D7A951EFB3A7CE838EB
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F ._'N._'N._'N.V_.Y'N..HO.]'N.KLO.]'N..HK.M'N..HJ.W'N..HM.\'N..WO.Z'N._'O.4'N..WK.\'N..WN.^'N..W..^'N..WL.^'N.Rich_'N.........................PE..d......_.........." ....."...@.......'..............................................7.....`..........................................W..t...dX..........@.......`....`..............(I..T....................J..(....I..0............@..h............................text...[!.......".................. ..`.rdata...)...@...*...&..............@..@.data........p.......P..............@....pdata..`............T..............@..@.qtmetadu............X..............@..P.rsrc...@............Z..............@..@.reloc...............^..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qtiff.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):390128
                                          Entropy (8bit):5.724665470266677
                                          Encrypted:false
                                          SSDEEP:6144:V0jqHiFBaRe0GPAKwP15e7xrEEEEEEN024Rx/3tkYiHUASQbs/l7OanYoOgyV:0qqwP15bx/q7/yyV
                                          MD5:9C0ACF12D3D25384868DCD81C787F382
                                          SHA1:C6E877ABA3FB3D2F21D86BE300E753E23BB0B74E
                                          SHA-256:825174429CED6B3DAB18115DBC6C9DA07BF5248C86EC1BD5C0DCAECA93B4C22D
                                          SHA-512:45594FA3C5D7C4F26325927BB8D51B0B88E162E3F5E7B7F39A5D72437606383E9FDC8F83A77F814E45AFF254914514AE52C1D840A6C7B98767F362ED3F4FC5BD
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................E....q............q......q......q......<.............<......<......<......<.)....<......Rich....................PE..d......_.........." .....(..........D-.......................................0............`.............................................t...4...........@........%........... ..(....d..T................... f..(....d..0............@..0............................text....&.......(.................. ..`.rdata...v...@...x...,..............@..@.data...(...........................@....pdata...%.......&..................@..@.qtmetad............................@..P.rsrc...@...........................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qwbmp.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):30192
                                          Entropy (8bit):5.938644231596902
                                          Encrypted:false
                                          SSDEEP:768:EfEM3S46JE2X/xBZ76pC5J6GdDGZUf2h4:63S3JE2PHZ76pC5J6GEUfn
                                          MD5:68919381E3C64E956D05863339F5C68C
                                          SHA1:CE0A2AD1F1A46B61CB298CEC5AA0B25FF2C12992
                                          SHA-256:0F05969FB926A62A338782B32446EA3E28E4BFBFFC0DBD25ED303FAB3404ABAC
                                          SHA-512:6222A3818157F6BCD793291A6C0380EF8C6B93ECEA2E0C9A767D9D9163461B541AFAF8C6B21C5A020F01C95C6EE9B2B74B358BA18DA120F520E87E24B20836AA
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<.I.<.I.<.I.D%I.<.I.S.H.<.I.W.H.<.I.S.H.<.I.S.H.<.I.S.H.<.IYL.H.<.I.<.I.<.IYL.H.<.IYL.H.<.IYLII.<.IYL.H.<.IRich.<.I........PE..d......_.........." ..... ...8.......'....................................................`......................................... D..t....D..........@....p..T....Z...............6..T...................p8..(...@7..0............0..p............................text............ .................. ..`.rdata..d&...0...(...$..............@..@.data........`.......L..............@....pdata..T....p.......N..............@..@.qtmetad~............R..............@..P.rsrc...@............T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\imageformats\qwebp.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):510448
                                          Entropy (8bit):6.605517748735854
                                          Encrypted:false
                                          SSDEEP:12288:bPTjgdqdsvh+LrLrLrL5/y4DVHAsqx3hXS+oPZQqRaYG:jT5sMLrLrLrL5q4dAsaOFo
                                          MD5:308E4565C3C5646F9ABD77885B07358E
                                          SHA1:71CB8047A9EF0CDB3EE27428726CACD063BB95B7
                                          SHA-256:6E37ACD0D357871F92B7FDE7206C904C734CAA02F94544DF646957DF8C4987AF
                                          SHA-512:FFAEECFAE097D5E9D1186522BD8D29C95CE48B87583624EB6D0D52BD19E36DB2860A557E19F0A05847458605A9A540C2A9899D53D36A6B7FD5BF0AD86AF88124
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................a....s........s......s......s....>.........>......>.....>....>......>....Rich...................PE..d......_.........." .....B..........tH.......................................0......`q....`..........................................W..t....W..........@.......0H........... ......h...T.......................(.......0............`...............................text...[@.......B.................. ..`.rdata..J....`.......F..............@..@.data....'...........X..............@....pdata..0H.......J...\..............@..@.qtmetadv...........................@..P.rsrc...@...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-07UN8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):149488
                                          Entropy (8bit):6.116105454277536
                                          Encrypted:false
                                          SSDEEP:3072:4sSkET6pEXb3loojg1Q2sorWvZXF2sorrLA7cG27Qhvvc:4sSd6pwzloDbsnX0sCrc7ct7QVc
                                          MD5:A016545F963548E0F37885E07EF945C7
                                          SHA1:CBE499E53AB0BD2DA21018F4E2092E33560C846F
                                          SHA-256:6B56F77DA6F17880A42D2F9D2EC8B426248F7AB2196A0F55D37ADE39E3878BC6
                                          SHA-512:47A3C965593B97392F8995C7B80394E5368D735D4C77F610AFD61367FFE7658A0E83A0DBD19962C4FA864D94F245A9185A915010AFA23467F999C833982654C2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'`.CF.KCF.KCF.KJ>.KGF.K.).JAF.KW-.JAF.K.).JVF.K.).JKF.K.).J@F.K.6.JFF.KCF.K.G.K.6.JPF.K.6.JBF.K.6.KBF.KCF.KBF.K.6.JBF.KRichCF.K........................PE..d......_.........." .....$..........t(.......................................p.......5....`............................................."..l........P.......0.......,.......`..L...hw..T....................x..(....w..0............@...............................text....".......$.................. ..`.rdata..z....@.......(..............@..@.data...x...........................@....pdata.......0......................@..@.rsrc........P......."..............@..@.reloc..L....`.......(..............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-1VP0Q.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):722944
                                          Entropy (8bit):6.461841037101138
                                          Encrypted:false
                                          SSDEEP:12288:+DGOd2K9pFsPqEbVqbo16ITqX5PBxH4UdAWhZ5HXJKl:iddZ9pFViVqRIM5ZrZ5HX4l
                                          MD5:EA03FE27DF3672898090FE652DCAFDF1
                                          SHA1:A4C555ABE482DE8A409DE9CB2B04B39458A47B94
                                          SHA-256:B8D52C7B6F5407F8FBB89EDA8F0D09DBF13665324B1B48CE08602EB5CEB915BE
                                          SHA-512:BAE517ACA75A646596201B977A04D8B0F08AA01777B387700AF3E2D155958C0CECBC944AC2C856661223B1DFB1888EDD7DD6E4DA99891CDBE4D97467D79D987A
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............f...f...f.......f...c...f...b...f...e...f...g...f...g...f.......f.*.g...f...g...f...c...f...f...f.....f...d...f.Rich..f.........PE..d....{yg.........." .........V......`{.......................................`............`.........................................``.......e.......@...........U...........P.......<.......................=..(....<...............................................text...F........................... ..`.rdata.............................@..@.data...XB.......<...l..............@....pdata...U.......V..................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-266HF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):898048
                                          Entropy (8bit):6.498739548040389
                                          Encrypted:false
                                          SSDEEP:24576:mdk0Ytz7DREjBqXwuAOL7fjiV8t6f5xl4o9DCf:71tvDREjB01AOL7fn6fTeo9DM
                                          MD5:425A907E436D0FF71889DA0BF481DDD6
                                          SHA1:50D34868FADA4D532219F5B5252933757DAFFE04
                                          SHA-256:E4434FCF8C9DB1C3A09D4585B3AB4C47C6C6071A6117875544347068EEC84FF1
                                          SHA-512:E0F4938444DAE10DE8B47001482B4F5441BDB3C14D3AFB672A8D87B41756C9B6A28CFF643755A03E2A0F4F3CBC341A9FA34586B7A6B6DE4A9CC479D49BE1B9BD
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`...`...`....U\.c...`.......&.v.@...&.w.....&.H.j...m.w.a...m.K.a...m.I.a...Rich`...........PE..d...._.V.........." .................&....................................................`.........................................@^.......y..(............`..L............... .......................................p............................................text...=........................... ..`.rdata..............................@..@.data...8............r..............@....pdata..L....`......................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-2S06S.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):206104
                                          Entropy (8bit):6.527663270766649
                                          Encrypted:false
                                          SSDEEP:3072:cXY40poiOthG/NS7rngyB9N4DfwAp2Ywz73GdXrQw18TYfHbd6q1:cINpBlNry5DAMYzXcY8TYfcq1
                                          MD5:210BB45A43B2F8FA7F6CFC31FA4EC6DD
                                          SHA1:3DACFA339AC11488D52A54806FFFAF437BB0CAA8
                                          SHA-256:AA965BC8429994C97BC2498ED8051A4101F7987A376924B105DE5F7915E42A48
                                          SHA-512:8A0E8863B06B306B11E0ABAD77B0285DBC17B8A778E241C2EBE0285BBF12C7B7CFDEACD6ED6D2BF71887342A94DACEADF8E0AA3164D4492E1CB9D0D1FECEAB96
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$.ew.ew.ewq*.w.ew...w.ew..av.ew..fv.ew.dw..ew..dv..ew..`v.ew..ev.ew..w.ew..gv.ewRich.ew........PE..d.....0].........." ................0........................................ ......~.....`A............................................................................A...........k..8............................k..................@............................text...|........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-3I2RF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3024000
                                          Entropy (8bit):6.401341683892991
                                          Encrypted:false
                                          SSDEEP:49152:gLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvuS:cwSi0b67zeCzt0+yO3kS/
                                          MD5:CA9D0BC1FC3C0AEBE22047A2DCBCD715
                                          SHA1:8DF8054C0F3A9969493D74001AE6C6815090BB48
                                          SHA-256:69FEBFE8BB5D272CE0A488B1C4C7BF2C3CEAD22410F7E907681635DDD910EF42
                                          SHA-512:75D8B8811B736C6AF7802194508979209E34B6357662902456687E83FE348DE422B37A96A52B336448B9EE22F1B43D7C7B7266F67D9000B663F24CFE989F81AE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-...............-..&....................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

                                          C:\Program Files\CloudCompare\is-3JOBL.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):261872
                                          Entropy (8bit):6.124188159004726
                                          Encrypted:false
                                          SSDEEP:3072:Td//dQmubTGzYPhdKbN/0mXNiL1JNUdvjyLBl2ndaLemXqiTlN/cozR6hyYGHs:YHGSo/Dc1ZLBl2daLGixRcozR6hyns
                                          MD5:C974C7B8CC66714A4BE0A7FAC840D193
                                          SHA1:E83936D5E3A1939B5B830B043936D55D79376CBD
                                          SHA-256:DA5E47C1FBA5C990CF66C529DA15EC050E3BA50EF9BEEE44AC8EC83A575E3569
                                          SHA-512:50C47CF18E354284CCEE0E370758EC5498B9D0769DC90141AFD458CC0D1D173423D12DD45E2EC140F5BAB4BADD017531FB81D6046340216ADD94B8BFF4553CA3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,.<dh.R7h.R7h.R7a..7b.R7...7j.R7S.Q6k.R7S.W6|.R7S.V6c.R7h.S7..R7S.S6m.R7..W6M.R7..Q6k.R7..R6i.R7...7i.R7..P6i.R7Richh.R7........PE..d....D.W.........." .....Z...........S.......................................@.......]....`.............................................(>...l....... ..X....... 4......."...0.........T...........................P................p..p............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...pI...........h..............@....pdata.. 4.......6..................@..@.gfids..$...........................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-3VB9A.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):330736
                                          Entropy (8bit):6.381828869454302
                                          Encrypted:false
                                          SSDEEP:6144:6qLZcTC3wR/0JNZ+csBkBv0L0hq+SvcO8MsvwbIeblsjTR:6qNcCwqHE2fYlsPR
                                          MD5:03761F923E52A7269A6E3A7452F6BE93
                                          SHA1:2CE53C424336BCC8047E10FA79CE9BCE14059C50
                                          SHA-256:7348CFC6444438B8845FB3F59381227325D40CA2187D463E82FC7B8E93E38DB5
                                          SHA-512:DE0FF8EBFFC62AF279E239722E6EEDD0B46BC213E21D0A687572BFB92AE1A1E4219322233224CA8B7211FFEF52D26CB9FE171D175D2390E3B3E6710BBDA010CB
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............_._._..*_._,.^._..^._,.^._,.^._,.^._a.^._._=.._a.^._a.^._a.F_._.._._a.^._Rich._................PE..d......_.........." .........................................................@.......^....`.................................................((....... ...........0...........0..H...xL..T....................N..(....L..0............................................text............................... ..`.rdata..p...........................@..@.data...8...........................@....pdata...0.......2..................@..@.rsrc........ ......................@..@.reloc..H....0......................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-4URC3.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):731376
                                          Entropy (8bit):6.179937626354653
                                          Encrypted:false
                                          SSDEEP:12288:r+VjdxvoKGf8vRRjggGQiaaNaRn+LEk33zTL5XcqNO3rX6/3TW+17T+SrdqJzUXZ:r+Vh9UkvRRjggb/aI+LEuBJpdq1YZ
                                          MD5:6AC7AA6A96EBB68D537099127715E551
                                          SHA1:343CF0E56413973A89FE82652A69FA9FE756E4B7
                                          SHA-256:DCD64A0F526F2B42D3052B239900D46FFE5D081F9C456A770A770A153AD4187D
                                          SHA-512:7E194AEFF72EE3632CBE8AB8D0A988A025B7780A3B3EC8729817E3C468B63BF9C0DE9B82C4BE66D8BD96FC4D091B8C06AD912A19CDE0D76DA2649BA226F84083
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .2}dp\.dp\.dp\.m...bp\.6.Y/|p\.6.X/lp\.6._/fp\.6.]/`p\.?.]/fp\...]/cp\.dp]..p\...Y/Cq\...\/ep\.....ep\.dp..ep\...^/ep\.Richdp\.........................PE..d....d._.........." .........,.......f.......................................P......*.....`.........................................P........G.......0...........E...........@.............................. ...(... ...................P............................text............................... ..`.rdata..X~..........................@..@.data....S.......B...r..............@....pdata...E.......F..................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-535VA.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):305392
                                          Entropy (8bit):6.242398831287072
                                          Encrypted:false
                                          SSDEEP:6144:zXvA6GWLMKIhiovzNWUbtQ0Q8L/hFHC7p:zXo6GWgsov9ZrQ8bhq
                                          MD5:3CFDE799979AB3BDDD93FFD46A375CD0
                                          SHA1:AAE44FC249918CE86ACA050D3FE7311C2FFC0C80
                                          SHA-256:83CF481C9AFA319C573BF642BC2271CD65C5435076A3BF99ECE9FB53C52A35D2
                                          SHA-512:5C355324802D80A97E3EAC823430C1E7E1D177AF562AC11B94E978450C789BBFBBB32A9DC01CB530764F0E5C114FBDE8D9F4370DE2FA19DBA689B0BBEF7E80F6
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........w...$...$...$..a$...$...%...$...%...$...%...$...%...$...%...$S..%...$...$'..$S..%...$S..%...$S..$...$..e$...$S..%...$Rich...$........PE..d....c._.........." .....N...B.......%..............................................j.....`.........................................0m..(...X....................$..............D...P.......................p...(...p................`...............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data........`.......H..............@....pdata...$.......&...X..............@..@.rsrc................~..............@..@.reloc..D...........................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-5D63B.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):150016
                                          Entropy (8bit):6.153853842832493
                                          Encrypted:false
                                          SSDEEP:3072:795pD8/5DF369YVKIf/AihiUNS1ZHGQJImIQaya9bmMAznIcH6KkeNWi3uRNWONp:79n8/5o9YVK4WSmQ9lSHfkM
                                          MD5:4CC6FC8AA81C763F819EB171A72B0755
                                          SHA1:A795938F6A3A6878B7125C037E92CD64592BB9BE
                                          SHA-256:B6DE4A001F659EDDCFB2E0E818AACD4BD0BB687EF1EB316E682CC6955C2B6178
                                          SHA-512:15955838CC3C81A970A5DAE2805567BDC101B9B9FEA310316EBE115944E5492DA450BECCF14638BE81D8E3F49196E201415909181A0FD70774B339F2E0051B09
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.N...N...N...._.H......M......L.......B.......L...C...n...C..J......B...N.......C..O...C..O...C..O...RichN...................PE..d....T.........." .....|..........t.....................................................`.............................................#............`..(....@...............p..,.......................................p...............P............................text....z.......|.................. ..`.rdata..<...........................@..@.data...0.... ......................@....pdata.......@.......&..............@..@.rsrc...(....`.......@..............@..@.reloc..,....p.......D..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-5JMP9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):85784
                                          Entropy (8bit):6.594110245111798
                                          Encrypted:false
                                          SSDEEP:1536:U3qPWvVCMgfw2eeWqjOebgk0jIpePxd76LGYU8j6ecbolG8EB4h88ii0:U66dsFeeBGPj1L6LGY+ecboC/8ip
                                          MD5:1453290DB80241683288F33E6DD5E80E
                                          SHA1:29FB9AF50458DF43EF40BFC8F0F516D0C0A106FD
                                          SHA-256:2B7602CC1521101D116995E3E2DDFE0943349806378A0D40ADD81BA64E359B6C
                                          SHA-512:4EA48A11E29EA7AC3957DCAB1A7912F83FD1C922C43D7B7D78523178FE236B4418729455B78AC672BB5632ECD5400746179802C6A9690ADB025270B0ADE84E91
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ZWB..6,..6,..6,.....6,..N...6,..6-.26,.L^/..6,.L^(..6,.L^)..6,.L^,..6,.L^...6,.L^...6,.Rich.6,.........................PE..d.....0].........." .........R...............................................P......<.....`A............................................4............0....... ...........A...@..t...P...8............................................................................text.............................. ..`.rdata...6.......8..................@..@.data... ...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc..t....@......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-6BGF0.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2240000
                                          Entropy (8bit):6.548212734365113
                                          Encrypted:false
                                          SSDEEP:49152:KJDs2vUNknXd2rb67z46BfyZtvqSI+Gr8Gs7Ts:7mnX9fyHrGps
                                          MD5:027AD255105FC361E9841ED8C696F7BD
                                          SHA1:06FD6FD68C0BCBB78AC9E7DC44172BB2F3865855
                                          SHA-256:F192C3BEA5F560166403114962F30E82F4EF14BF9DF1F0DFB7A06D45BC790080
                                          SHA-512:F27FA2F68FE3C4F7818D8B20BFCE230558CEC82CEA45856159B479CE83CA7300DC0D51FC30E98013A6C18563CAB5443825DEC5E06ECAEF1D3465FBB1134C77A4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........K...K...K.....d.J.....~.I.....|.I.....C.F.....B.I...F.~.I....Ih.N...K...>...F.C.....F...J...F.x.J...F.}.J...RichK...................PE..d...L..T.........." .........F......<........................................."...........`.........................................P. .P.....!.d....p".......!...............".\....................................4..p............ ...............................text............................... ..`.rdata..8.... ......................@..@.data....U... !..6....!.............@....pdata........!......>!.............@..@.rsrc........p"...... ".............@..@.reloc..\....."......"".............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-6CQIB.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):342016
                                          Entropy (8bit):6.124318304938587
                                          Encrypted:false
                                          SSDEEP:6144:vSqToXHt3rCtyUh3tizLg0SKiKxKDxrPnowU8s/bOgYP/8nU9EqTBD70eIzFvP6t:vSEoXHt3rwyUh3kz80SKVxKDdvowUj/C
                                          MD5:CE7CFCEA2D533B47372AC342E0BC56A3
                                          SHA1:ACBF16636AB30277983FED1E0401A9439CA1CF83
                                          SHA-256:AC6FD3101AC471A007693444153F7796ACD427C4B5E91BFEBCF015F0B95C6C08
                                          SHA-512:134ACDB8EF1828074D145FACA41EA4BA269BAC0C038B24BAAC9A955D78557E290DCEDD727FCCE29D772D51E5763B8ED5BCB4AFA96C21209FF73BDF4242F0E4F3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.P...>...>...>..?....>.Y.....>.Y.....>.Y.....>.Y.....>.......>...?..>.....0.>.......>.......>.......>.Rich..>.................PE..d...q..T.........." .....v...........}....................................................`.........................................@...p$......P....`..@....0...&...........p..L...P...8...............................p............................................text....t.......v.................. ..`.rdata..............z..............@..@.data...p....0......................@....pdata...&...0...(..................@..@.rsrc...@....`.......&..............@..@.reloc..L....p.......,..............@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-6DPM8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):137216
                                          Entropy (8bit):6.225171524893703
                                          Encrypted:false
                                          SSDEEP:3072:oeFPoVRx1tgigeosf1bt3eCwpQ6qPNq9K00mp7k43MnVA8ESgS45P04X:Ve1tgigeosf1bt3eCwC6KqkdA8ESgS45
                                          MD5:BE0ADCA466744EBA777289419966C0C7
                                          SHA1:7D2FFA0BED0B7DA841E58AA61C42E435D78E7E9B
                                          SHA-256:216992614BDCE256C01DC9B7FF6085C597E50B8024E67AAE5FE35B47BE318240
                                          SHA-512:F41DEF9F228CB7E6DF019E7B089F6C3E9453716237AF11B5B30162892468C38D34234DFCD72AE6E25C66CFA25C48165ECBA9E48D54DD38CC72F60CD97F8672EA
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b..^.~.^.~.^.~..R..].~..R.._.~..R..U.~..R..\.~.....\.~.^...z.~.SQ..[.~.SQ.._.~.SQ.._.~.SQ.._.~.Rich^.~.................PE..d...@4.T.........." .........~...............................................`............`.................................................$...<....@....... ..l............P..........................................p...............(............................text...;........................... ..`.rdata...P.......R..................@..@.data...............................@....pdata..l.... ... ..................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-6IHF9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):82336768
                                          Entropy (8bit):6.709624515309904
                                          Encrypted:false
                                          SSDEEP:1572864:KiySAJLva8soisRmwdcYS/aEHBt6w5Hnflkg+rkVRJsZRw+cJfagAoCFh4:KiySAcsc
                                          MD5:DC7F54B9AC3196E0D0775FA80F0FB6D9
                                          SHA1:475C7CB7CF74FA6014F12A26D169718FC5C377D5
                                          SHA-256:608C17870EA5F801959859639207F2A4DE581F16FD78C7BBD67E7B42377EFFFD
                                          SHA-512:5232D8993177281D7650C22D8E15EEA0DF58D6A70A7279EDEC28E53A94BA764DEB210A32FE963320EDC571CE9D24CB90A3AC4882E5009DAEE191A3AB957CB00E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*.....X......0...............................................r.....`... .......................................|.=$....|..\...P}..........?...........`}..a..............................(...................@.|..............................text...P...........................`..`.rodata.0`.......b..................`..`.data...@....0......................@....rdata........$.......$.............@..@.pdata...?.......@...r..............@..@.xdata..T...........................@..@.bss.....................................edata..=$....|..&...n..............@..@.idata...\....|..^..................@....CRT....p....0}.....................@....tls.........@}.....................@....rsrc........P}.....................@..@.reloc...a...`}..b..................@..B........................................................................................

                                          C:\Program Files\CloudCompare\is-7J7HR.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):4072960
                                          Entropy (8bit):4.29892941159376
                                          Encrypted:false
                                          SSDEEP:24576:kurEhBFeA9Yocw4I3UX/Q6keuzbkLnqJFzTUbRBZxzf1fkG8qkUfT6T36S7cLqRd:kTgA9YIU03nzTABZR1f4/oT6TKZLqRd
                                          MD5:BBB1E3F824CCC683CFA76D66ABB815D3
                                          SHA1:A648215F3F8610BB79BE1DC2A291A7CA80B0C688
                                          SHA-256:F6ABC1333233A2B9B93312F2531AF32250BDC9DC3A337CDB3E20F6B4E3895476
                                          SHA-512:E32DF05E32C1DB5E2AF3B8EF567DFC4D5BCD43BE9C52BAC5B4FB8DD8B778E5A7B8D519AB18AAAA85EAB1B3A5D5E1239DCD107B578F9215BF99B7540268BD034A
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..s...s...s.....`.t...5.F.K...5.G.....5.x.`...~.F.]...._l.z...s......~.G.....~.{.r...~.|.r...s.0.r...~.y.r...Richs...........PE..d......T.........." .....f....<.....`.........................................E...........`.........................................p.6.n...."6.d....PE.`.....D..n...........`E.@2.................................. =5.p............................................text...xd.......f.................. ..`.rdata....-.......-..j..............@..@.data...x....@6..`....6.............@....pdata...n....D..p...~=.............@..@.rsrc...`....PE.......=.............@..@.reloc..@2...`E..4....=.............@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-7LCC4.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1305600
                                          Entropy (8bit):6.500414270235113
                                          Encrypted:false
                                          SSDEEP:24576:wsae7nuBe/fiK+A5RStikHZVVYIgkVkP/txyfk:wsluBe/aK+A5RnkHVNgkVG3yf
                                          MD5:5E340FB8D4F34B05560CDF0D6FAA0C95
                                          SHA1:DC94163D199DBF99CA9B2ABD52E9DA9BA411B3AA
                                          SHA-256:DE36FB112F7062BD5B507ECF689D08AB070163E410E72EF8F2DC4775A8A5795C
                                          SHA-512:4F5553011564A2631677B9360D68B878F4B6A4AB02BB0D485D0B340C1C4D4845489784EE4E8AAA6D48BCD92FE36BA2309C05489363CD4B8F41806AB5E154AF3D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............@.b......x.....@.`.....@._.....@.^......-b......t.............-_.-....-c......-a.....Rich....................PE..d....1.T.........." .....@...........J.......................................0............`.....................................................d...............................0...................................@...p............P.. ............................text....?.......@.................. ..`.rdata..Rf...P...h...D..............@..@.data... 6..........................@....pdata..............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-7NNEC.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1248
                                          Entropy (8bit):3.411406870003142
                                          Encrypted:false
                                          SSDEEP:24:JNQNANQs8Bw5NQMJ0y4TVOkHUYlg2NQNnNe:J+i+/Bw5+k0y4TjHUY+2+BM
                                          MD5:10E499DB3962E1CA5FECBCBDF2D623EA
                                          SHA1:BBD9C1D5F081144ED3096825900E7982120E9318
                                          SHA-256:B0180C8E73919E584EC2DB3D8916858D7EA3FF4FBB33A8C535CA5FBC2E6E57E4
                                          SHA-512:4BB76A579188E9A4AE5D48064BA24CC8049152A0961D835910FC013E2A2480AEEA1DFC9D2B5A419722077920B2EF854FDBEE073A3D1203A9977094D400A6456E
                                          Malicious:false
                                          Reputation:low
                                          Preview://##########################################################################..//# #..//# CLOUDCOMPARE #..//# #..//# This program is free software; you can redistribute it and/or modify #..//# it under the terms of the GNU General Public License as published by #..//# the Free Software Foundation; version 2 of the License. #..//# #..//# This program is distributed in the hope that it will be useful, #..//# but WITHOUT ANY WARRANTY; without even the implied warranty of #..//# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #..//# GNU General Public License for more details. #..//#

                                          C:\Program Files\CloudCompare\is-8L6OS.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):31512
                                          Entropy (8bit):6.482572392659554
                                          Encrypted:false
                                          SSDEEP:384:N7K97EGM9l0SJuJZVWnlVI/GDYWcn53WMlQpBj0HRN7gr5mQHRN7AFA8pUclXC/:tKcJJuJZVWlVlq/qWgro8WA8pU7
                                          MD5:D281BE80D404478EA08651AB0BF071B5
                                          SHA1:E81DC979D8CF166C961C8E7B26F5667DB9557C47
                                          SHA-256:5E627FAC479F72363075824423D74D0A5D100BB69377F2A8C0942E12099AF700
                                          SHA-512:FDA7C43FB6EE71C7CCBAD7AD32C1F00E454CCDEE3BBC35DE4045ABBC8998281CDAB9C506FEA8417DF25FF0EF09471EEA49F63B2181E160C62BDA804FBFD8C376
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8./.|.A.|.A.|.A..9..~.A.u..x.A...E.{.A...B.}.A.|.@.U.A...@.y.A...D.o.A...A.}.A....}.A...C.}.A.Rich|.A.................PE..d.....0].........." .........$......p...............................................[r....`A.........................................>..L...L?..x....p.......`..@....:...A......d...03..8...........................p3...............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..@....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..d............8..............@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-8S25L.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1405440
                                          Entropy (8bit):6.457300172251594
                                          Encrypted:false
                                          SSDEEP:24576:YF/mgRJ1GjiW1J/ZtHWTbFBy8L1OXerAKmj1l5+Fbya8q2eE:M2ZtHWPFByPP5+FbyFe
                                          MD5:9421DE1243DA93AC477AC5333AC04406
                                          SHA1:1098DFFC6F5955E00C2886E912FB17EC0C849A46
                                          SHA-256:7F6D8D720DE4720BDC0796D1AA1965E88CBA718BBEFF0C8ADA30987D6219C4A9
                                          SHA-512:0911FC373F6BBA0E0A5550A273C9D5125475C77E0983828EADE7C4A9358433884A07727E8EFA276F2423E83B652817F0379EA80F2852D8D9F706A75DB85827B3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V6.o.Wc<.Wc<.Wc<./.<.Wc<@?f=.Wc<@?g=.Wc<@?`=.Wc<@?b=.Wc<Y/b=.Wc<.'b=.Wc<.>b=.Wc<.Wb<%Tc<.>f=-Wc<.>c=.Wc<.>.<.Wc<.>a=.Wc<Rich.Wc<........PE..d....g.........." ................`.....................................................`.............................................4...$...T...............d............... >..............................(.......................(............................text............................... ..`.rdata..............................@..@.data....Z.......4...h..............@....pdata..d...........................@..@.rsrc................0..............@..@.reloc.. >.......@...2..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-99499.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):914432
                                          Entropy (8bit):7.34282950558293
                                          Encrypted:false
                                          SSDEEP:24576:hznlJ9BAUZLY9uHjGavkg3Ny37mbbTufVbqf:9lJ9BAUZLY9uHjGaXElVG
                                          MD5:54280BD06D5C35DDF1B53091237C9672
                                          SHA1:E2806EAA2319B0728EA93A2C98164066D2955C64
                                          SHA-256:FB4C161160C38531CC4B9B91B2836E5CF62DF7EB095EFDDEFAF433633AE78D54
                                          SHA-512:975ABE5268B003D557C62DA3BEDC8139351F8566238CC02FDD70E57236DD6DAE888909AD48C89CA5652C3D541EEC0404D62B9A52A10932C786AB3643B1CBF425
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|....o,..o,..o,7.,..o,t..,..o,..n,..o,.L.,..o,.L.,..o,.L.,..o,.L.,..o,.O.,..o,.O.,..o,.O.,..o,.O.,..o,Rich..o,........PE..d...e..T.........." ................T$.......................................0............`.........................................p...........<............................ ..8.......................................p............0..H............................text............................... ..`.rdata.......0....... ..............@..@.data...@...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..8.... ......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-9A695.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1340400
                                          Entropy (8bit):6.41486755163134
                                          Encrypted:false
                                          SSDEEP:24576:eXPn73RXox1U9M0m+1ffSDY565RzHUY1iaRy95hdGehEM:+7hXU1U95m4ff9A5RviaRy9NGI
                                          MD5:3569693D5BAE82854DE1D88F86C33184
                                          SHA1:1A6084ACFD2AA4D32CEDFB7D9023F60EB14E1771
                                          SHA-256:4EF341AE9302E793878020F0740B09B0F31CB380408A697F75C69FDBD20FC7A1
                                          SHA-512:E5EFF4A79E1BDAE28A6CA0DA116245A9919023560750FC4A087CDCD0AB969C2F0EEEC63BBEC2CD5222D6824A01DD27D2A8E6684A48202EA733F9BB2FAB048B32
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........Yt..7'..7'..7'...'..7'..3&..7'}.3&..7'}.4&..7'}.2&..7'}.6&..7'..6&..7'0.6&..7'..6'c.7'0.2&2.7'0.7&..7'0..'..7'...'..7'0.5&..7'Rich..7'........................PE..d....._.........." .................................................................c....`......................................... ....n..,...h....................X..........,.......T...................p...(...@...0............................................text...C........................... ..`.rdata...g.......h..................@..@.data...XN...@...2... ..............@....pdata...............R..............@..@.rsrc................>..............@..@.reloc..,............D..............@..B................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-9SOIV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):65625088
                                          Entropy (8bit):6.716204630721569
                                          Encrypted:false
                                          SSDEEP:393216:sbMrUzNKCHFRGrF9uETlbLiAUESilnLo:s2cNWrFwETlrnnL
                                          MD5:C8AA5618B3AEBB44A1DC971CF45DF6AF
                                          SHA1:E63D348666665876DFA22854F7DD3D450289425E
                                          SHA-256:8799F59DBCF8F7EB8B56A0D6EFD8E957A1985CD2CD4723B4228731288A5FAE88
                                          SHA-512:0936CBA77118A4451C73324D971E64946824E665DD411B84EFDB0B209BCA3CF5895C5A3D557489B303C970B870980E39DAC71D9B2BC472D22667006D81C80E47
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......!Rz.e3..e3..e3..lK..s3......o3...Q..M3...Q..n3...Q..c3...Q..|3..GS..a3..e3..2..GS..p3..?....7..e3..C....P...3...P...2...P..d3...P..d3..e3..d3...P..d3..Riche3..........PE..d..."x=Z.........." .....2B..r............................................................`.........................................`...(............p.......`...................a......T.......................(....................PB..............................text............................... ..`IPPCODE...%.......%................. ..`.rdata.......PB......6B.............@..@.data...h~.......4..................@....pdata.......`......................@..@IPPDATA.....p......................@..._RDATA...F... ...H..................@..@.rsrc........p......................@..@.reloc...a.......b..................@..B................................................................................

                                          C:\Program Files\CloudCompare\is-APHKU.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):64000
                                          Entropy (8bit):4.918600259690758
                                          Encrypted:false
                                          SSDEEP:768:k2PM9rCwnTNtag/Zbf7dOtx+3pg+2iQ6gPSN9uDsH9g+tRc:kP1n7gDnSL9g+7c
                                          MD5:1B5BAF09EBE88108D5DA26C0E0514875
                                          SHA1:5D1EE37B752D603991999BD7C0434B5FCD428E38
                                          SHA-256:24D9A38A0E090E2D50BFAAB9B5BDA9A753BCCB3770C7751CB81BB15BCEDF47FF
                                          SHA-512:F50539A482BBA73CA8C5B38E9C55F16FCE0111091187B90D8AAC5F5A0A6250C2F6F293A97DE499646B5EB8A2D921C034B0EE163E97E60C0DFD339BC3B9436562
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........E...+...+...+.| ..+......+......+.....+.....+.......+...*...+......+.......+.......+.Rich..+.........PE..d...._.V.........." .........>...............................................0............`.........................................p...........P............................ .. ...`...8...............................p............................................text...y........................... ..`.rdata..j...........................@..@.data...............................@....pdata..............................@..@.idata..............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-B0PFH.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2577648
                                          Entropy (8bit):6.18813475149753
                                          Encrypted:false
                                          SSDEEP:49152:3CGX7lSpFVYjlpLkiEtxcnPOjk91JQagBeqcMr8Trq9b:VsNrd9b
                                          MD5:108A3C3D5C16D20DB13B6800670BFC54
                                          SHA1:A23BA534B81502712956147185B1F15C2E2E80E3
                                          SHA-256:5A558E3AE5762EBFF3AB15A5B60FE4F45AA05EEC4A292EDBB1A2FE5E9A4AE605
                                          SHA-512:B04C83CF22416F92214CE8213E7AF841BE5952091245A6844E92028D8C9C88C319C3596A335CD2E345DDEEE9A42EAAB702B5F5336E6A2CA8F74BF98782B61938
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^.<X?.oX?.oX?.oQG=oP?.o.W.nA?.o.W.nP?.o.W.n[?.o.W.n\?.o.W.nZ?.o.V.nI?.oX?.oF;.o.V.n7?.o.V.nY?.o.VQoY?.oX?9oY?.o.V.nY?.oRichX?.o........................PE..d...Ud._.........." .....L..........@........................................p'.....\.'...`...........................................#....`?%.@....P'.......&.....8'......`'.`........................... ...(... ................`.. !...........................text....J.......L.................. ..`.rdata..@....`.......P..............@..@.data...(F...`&..:...N&.............@....pdata.......&.......&.............@..@.rsrc........P'......$'.............@..@.reloc..`....`'......*'.............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-B9FNV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):436011
                                          Entropy (8bit):5.959829336161829
                                          Encrypted:false
                                          SSDEEP:6144:Whq6r4b+TzXbwkjY7A0cEecZjS2a3Q4k4P9:Whq6rjv0kjMAYu2ag4k4P9
                                          MD5:46342925772D32E44ECF4D846C450B20
                                          SHA1:AAC70299D4B1B9E10718313235C69C4FB75AB034
                                          SHA-256:09B3B868B96433991FC15C9C5AE6F9A44C62D2E21194110442607917391ED927
                                          SHA-512:144C7F914539BC42AB315C3E063AA483BA03CA50B4FF1636B447AC880E9DCB5E222F19B9365E0AAA4B4BCCC0C2B543DB3243C143B5DF7E339843827F0B56B994
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,.oM.<..".....& ..........................To.............................................. ......................................@...!...p..................................4....................................................................................text............................... .P`.data...............................@.`..rdata..pS.......T..................@.`@.bss.........0........................`..edata...!...@..."..................@.0@.idata.......p.......:..............@.0..CRT....X............N..............@.@..tls....H............P..............@.`..rsrc................R..............@.0..reloc..4............V..............@.0B/4...................X................PB/19.....L............\.................B/35.....^............d.................B/47....................................B/61....................................B/73.....

                                          C:\Program Files\CloudCompare\is-BJQA3.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):803328
                                          Entropy (8bit):6.301764713308598
                                          Encrypted:false
                                          SSDEEP:12288:zi/B1Q7qKbhpvjs13V8nt0aG4m5UTmSpN2oyIKefN/4:zSB1Q7qK1pMktxQUT3v2XI9/
                                          MD5:65E878BE5E621489342B5369D2CD446D
                                          SHA1:5FE0112DD80BEAFF167212E13DB73335BC1C5120
                                          SHA-256:14DD904B4DF2BC9956EC1719F778E141350913DF097368E77BACE6CA1DC7F339
                                          SHA-512:31AEBFCB29905AE710C33A45A93B9EB28755CDEF47861B22A2854994B6ED634D999E93FDCE55913B218FF1D99290AA68F9CA7F80F9B66A517802495E66EC4205
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........V..7..7..7..O@..7.._..7......7.._..7.._..7.._..7..O..7..G..7..e...7.!^..7..7..1.!^..7.!^..7.!^..7.!^,..7.!^..7.Rich.7.........PE..d.....g.........." .........~.......i....................................................`......................................... .......f..T....P...........C...........`..|...0X......................PY..(...PX...................2...........................text...@........................... ..`.rdata..T...........................@..@.data....*....... ..................@....pdata...C.......D..................@..@.rsrc........P......."..............@..@.reloc..|....`.......$..............@..B................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-BV34F.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):646656
                                          Entropy (8bit):6.609281858827991
                                          Encrypted:false
                                          SSDEEP:12288:OglwOtpxXkR8AePKhBWvtUcvmfc1TnKGJfSBZHllBNlRCDddyNdtsprNE2:O4wOtpxXkR8AePKhBWvtUcvkc1qHlhlW
                                          MD5:59F908380C488F066D712014EEFF5BD7
                                          SHA1:CBA52F89D7E9087F694CB7D6958A80B6858EED75
                                          SHA-256:7F6FEAD1AA53772FD657D4462826E042B8F2049D3C3BBB493752F22B058F3A78
                                          SHA-512:D7E2E459B417B9C23CAAAE3843442048035DEF57F7ED679999EBFAD648E2455E0E6E0BC4FE229D62F7BDD7ED94D6C86156EE4CB7ED0A7C742F3B81CD2D3FFCDB
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*............0...............................................],....`... ......................................p.......................p.../..........................................`<..(...................@...P............................text...............................`..`.data...`...........................@....rdata...x.......z..................@..@.pdata.../...p...0...J..............@..@.xdata...:.......<...z..............@..@.bss....@................................edata.......p......................@..@.idata..............................@....CRT....`...........................@....tls................................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\is-C9PN3.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1703152
                                          Entropy (8bit):6.263930597929995
                                          Encrypted:false
                                          SSDEEP:49152:zjIvfo41bZFaxoVEbck8vlXlq00MBdCHa4wceTlBKB4WBlz1/w2SvpNiX1nOrw2x:skzc
                                          MD5:4FB0AC0BE1DE51903B251B3BA7842A9E
                                          SHA1:6A27E35545C900D0480241FBC5D4EDB87AB50574
                                          SHA-256:83DB54F529B47A8E8E1A4B898AD64FD9F4B6A5D96829DA183EA650154AD132F3
                                          SHA-512:C883F31B18D172768C7B47EB0F62F45C166ACDB28B83B0D4D8137A61F12DA6F50D9B26B63410435B09F2D5EE98C958E4A1116098DE3AA47EAC41B66D5FEF6F93
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.P.p.>.p.>.p.>.y..v.>.".;.i.>.".:.x.>.".=.r.>.".?.t.>.+.?.r.>...?.u.>.p.?..>...;.r.>...>.q.>.....q.>.p...q.>...<.q.>.Richp.>.........PE..d....d._.........." .....&..........T........................................`.......o....`.........................................`......8........0.......................@.......F.......................G..(....F...............@...............................text....%.......&.................. ..`.rdata..l....@.......*..............@..@.data...........p..................@....pdata..............................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-CCDAV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):216064
                                          Entropy (8bit):6.0328472485055205
                                          Encrypted:false
                                          SSDEEP:6144:WxSpnOEgvfV8XO32ZHYHCct544Jd20dHUI/cGMnXOSIDOYvXUqiwrsAtj4hawtah:+jEo9t544Jd20dHUI/cGM6
                                          MD5:B23960264D44FC1F13250213106DC184
                                          SHA1:014D92C4DABA21E22D30435719477B6A146259AA
                                          SHA-256:7F7B6D425D87A7D8BBA1625CEDAAF0D9CC9B92AC9CA4ACA05B53820CD818A0D9
                                          SHA-512:45FA43135A66878B6E2B3352AF7DC13F9BC867F53067DBBCBB4A8AD6D7F7ED074EA60986F9E105C8896E8BF64C9089146124977CEF2AE5F6451FF562AD725A9B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i...`...a...;..~...;..a...;..k...;..m..."...k.......o......l...i.........a......h.....n.h......h...Richi...........PE..d......g.........." .....`...........O....................................................`.........................................0F...N...........p.......P..................................................(....................p...............................text...+_.......`.................. ..`.rdata.......p.......d..............@..@.data...p....0....... ..............@....pdata.......P.......*..............@..@.rsrc........p.......>..............@..@.reloc...............@..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-DDLV2.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):180736
                                          Entropy (8bit):6.4689591835949
                                          Encrypted:false
                                          SSDEEP:3072:3RZCni3L3TP4OKFE+rtuiNFEPj43AQsnA1Tg08fC7jqC5UouCGZCktTiNTqtOuK+:vCni73TgOKi+RzGr43AQsnAF5IWswPw
                                          MD5:EEA12E88CF534F41963EDAD1522D8802
                                          SHA1:9AF546CCE2DCC16EDDF3B517D89D35E51990DCD6
                                          SHA-256:18F3E0E9C7C84666C4D738247D607065CDE890569CEB621CFC95DE77AA8ACEF3
                                          SHA-512:F917F1655D9371A1D5A026677DFBE5B8EAE6FF69528253F36CAE468546A952733DBB159566240158A9608256383A92A8E64545522612E93ACC3BDB83EBBE045B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{bZ..1Z..1Z..1...1X..1.d.1[..1...1[..1...1Q..1...1X..1.;.1Y..1Z..1k..1W..1I..1W..1[..1W..1[..1W..1[..1RichZ..1........PE..d...a.T.........." ................`.....................................................`.................................................P...<...............\....................................................a..p............ ...............................text............................... ..`.rdata...w... ...x..................@..@.data...............................@....pdata..\........ ..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-DRUUQ.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1728752
                                          Entropy (8bit):5.177332416676532
                                          Encrypted:false
                                          SSDEEP:12288:XjIJQx+Njd+rxP+vzLCqq98daeRsu+y9RNiZSMsV2JNs04Wchnn9c7gQ7vDorJap:Tf+Ncx2zLCqiOaEL9biZ6MJNQ8orSUk
                                          MD5:3539141FFDA9CAE0C77131AEBA50A114
                                          SHA1:EA31877537A80E499C33811C10C66314D0C51B04
                                          SHA-256:047DFADDB4285896FC4AE8905114F9FE5808868B94CA34828FBDFC42135C747B
                                          SHA-512:9703E1BB77065773953C1F946786D661158D8DDF4DD07AC2E5C9673C87DB0198AFB6FA737BF0BDFDF7F5BA5A6FC1F6AA8E3B4DF4A2D635DEB79F9C9D0BE1F6DC
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=..y...y...y...p.6.m....'b.x...+..q...+..z...+..d...+..}......}..."..p...y..........x.............x.....Z.x...y.2.x......x...Richy...........PE..d....c._.........." .....z...<......`................................................,....`.........................................p.......T...|............@......D...................................... ...(... ................................................text....x.......z.................. ..`.rdata...............~..............@..@.data....#..........................@....pdata......@......................@..@.rsrc...............................@..@.reloc...............4..............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-DT4KF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):332568
                                          Entropy (8bit):6.217408928777197
                                          Encrypted:false
                                          SSDEEP:6144:tlBybiGsY4lxA6c40PMjoTrDPbv+Xipv6wfnWzgcpw2eRJ:tWbzsBcPPlbxpvIzQT
                                          MD5:1028995446D0032530461BE30CA98F48
                                          SHA1:18446678152E9997EED9C02995F957D58A8E8F32
                                          SHA-256:D404B49C25CC76DC4C86E1D82FC23799482F6509E85A73ED8177EFC320EC0195
                                          SHA-512:ADB9AE577F082E0246CAE5C804FA4CD08BCF54CE78EACA02D49B9B1B262779667A251E98CAE807AFF50FDAC504B8CD855CE4D786F587D02E0A18F6AC8E0D882E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........\...2Q..2Q..2Qo..Q..2Q..Q..2Q..3P..2Q..3QR.2Q..6P..2Q..1P..2Q..7P..2Q..2P..2Q...Q..2Q..0P..2QRich..2Q........................PE..d.....0].........." ................................................................b.....`A........................................P....M..\Z...................6.......A......|...@l..8............................l..................`............................text............................... ..`.rdata...k.......l..................@..@.data....9...p...2...V..............@....pdata...6.......8..................@..@.rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-F0AAS.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):31
                                          Entropy (8bit):4.373551149096553
                                          Encrypted:false
                                          SSDEEP:3:lLWQfZfd9:RWCpd9
                                          MD5:D3FC27613FF7EBD51808D0A0DB4D0FC9
                                          SHA1:E7E8F95165C18B542653B21FB71F970A03BE60E0
                                          SHA-256:9D5C9D8C3035D78040D5323DF783EA085EEFBED8780893139D30BAA3BD9E6455
                                          SHA-512:31B7CCDC6746CBA7B95CA51D93BA3F496DB64650CB716E0DBB4DCC46047065DF60BFDCA7C390CAACBE77D9AD17FF6084DFE5CE076ACB4EC30BC2EC95DA2A3B52
                                          Malicious:false
                                          Reputation:low
                                          Preview:@set PATH=...CloudCompare.exe..

                                          C:\Program Files\CloudCompare\is-F0HDV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):848624
                                          Entropy (8bit):6.226073557201281
                                          Encrypted:false
                                          SSDEEP:12288:glSRkt/ADhUy1qHvH5Bv+lO5h6n288n7BDtxThD+10:g4Ryy1qHBBv+l668n7jxm0
                                          MD5:09384FAE658A7566655E76C32DDEF653
                                          SHA1:FD16FD1A7504EFA9B1A17FDDE897141985271F32
                                          SHA-256:4448C09C7A0CF3A18DBCA33C7F889CD36D5192D668EA2ACBB4A4E65261F731AD
                                          SHA-512:52DE1C06DA4E2D3DD5F570A06E87F3AB703FC4578CE7D14A68108EE6BE7DD1563D1785BC8DAF107BCC18D7073C10CE45C2B06968FE3249322C431C06C8CE6295
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........c...........................................,.......4...,......,.....,.........,.....Rich............PE..d....d._.........." .....>...........|....................................................`.....................................................@................M.................../.......................0..(..../...............P...............................text...L<.......>.................. ..`.rdata..N....P.......B..............@..@.data...x2...`...(...L..............@....pdata...M.......N...t..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-F1QIM.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1575936
                                          Entropy (8bit):6.522022448413462
                                          Encrypted:false
                                          SSDEEP:49152:qSY0LA3zwiZzjs9nyFHV1Q62ThDAQp7/VqPVcuP:ahAThDAQpuVc
                                          MD5:21BF4638E5ADA899A43AC322BAC4600C
                                          SHA1:9BC1D6E44E14314C6B002436D4EDB9B7F8A51FB6
                                          SHA-256:AEE3F7C3EF4477D46F9CD65B00BB2EBAA23C2EDE84D60027102F97F3463542D5
                                          SHA-512:DDDC9A5EB060D82F8C3741E1F2241924DFD00A15A29D3EB00B0F87B38A34E0063E0B885E41F892A7966D28F5379A71D8BDD9DA434FA14B278672F64328540F5E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..=e..ne..ne..n#.0ng..n#.2ng..n#..ni..n#..ng..n..&nn..ne..n...nh.2nd..nh..n"..nh.1nd..nh.6nd..nh.3nd..nRiche..n........................PE..d...[..T.........." .........j...... ........................................`............`..........................................Y..Q...............@.................... ..8?..0...8...............................p............................................text............................... ..`.rdata.../.......0..................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc..8?... ...@..................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-F214P.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):359936
                                          Entropy (8bit):5.682629096124071
                                          Encrypted:false
                                          SSDEEP:3072:9h1r89dfpp/Q82+udVRCEzgnvYJY3dCSU3by5ncqs0TslqX4x+F0NNUNbhEy6CU:9h10p/TMMvYJYdU36crbS4ZoRU
                                          MD5:97853DCCBC4B7F14E56D31F7B56364D6
                                          SHA1:5EB49E3441CA1A8F75B381AE1F98ADAD9A905D4D
                                          SHA-256:95A71D6D6600B0B78F8F2F200F97B539D92D59327B649DAA2D33E5F56BBC519B
                                          SHA-512:421C07DA9F53253ADEDC022C6AA9E0DA6248319B734678FC88D320C278C23B95CF969BC262BB1510B6F5710B80FAF5B1EE1CC5CD8B15FA57912F67202BE952CF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@a..2..2..20j.2..2s5.2..2./2...2...2..2...2..2...2..2...2..2...2~..2...2..2...2..2Rich..2........................PE..d...Z..T.........." .........~......4.....................................................`.........................................P...\.......<............P...1..............\...`&..8............................i..p............................................text............................... ..`.rdata....... ......................@..@.data....l.......h..................@....pdata...7...P...8...,..............@..@.idata..Z............d..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-GAFKM.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):326144
                                          Entropy (8bit):6.195700191357499
                                          Encrypted:false
                                          SSDEEP:6144:aiEihwMr/RYZfJTW3z9EVWJ9nB5ouD0K+6nkZRAAB5Ohl0omBEV/jVq9mUT74Rsx:aiEiOsJatVUEA
                                          MD5:E421801BEAB05A96A041EA2A759D7E50
                                          SHA1:6E6BA8E783E8F4A8E3984A8324D353D56F360AE8
                                          SHA-256:9E3B73B7395CF53942CE363FC69A825B53534703920691D38E97BD84C08825F8
                                          SHA-512:7DC1D88B8E5BD519887BD9DDA2700EBE7AB8647DB1E8E1B56D749EA670F91D451BD7DC8D0D1C02775F89D4EA108575ECE3A7402B43EE8DF32428F0A6F54AF3FA
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L.|U-./U-./U-./\Uw/]-./.E..B-./.E..]-./.E..W-./.E..Q-./.U..W-./.]..T-./.]..S-./.D..R-./U-./.../.D..]-./.D..T-./.D./T-./.D..T-./RichU-./........PE..d......g.........." .....v..........$[.......................................@............`.........................................0... q..P........ ..........l............0...... .......................@ ..(...@...................@............................text....u.......v.................. ..`.rdata...J.......L...z..............@..@.data...............................@....pdata..l...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-GATN0.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):560
                                          Entropy (8bit):4.819890866613878
                                          Encrypted:false
                                          SSDEEP:12:jXlCrSbfJh+thGLD9nOAVDFexQjl5F+fJIzGIml2f:BCrSzJhWQ39OAVDFxjAJIyIM2f
                                          MD5:69C927B8C88EA2556CA7F0F201ED412C
                                          SHA1:C7E9CEB0568A5040EFC5D44CCE069453A414BE1E
                                          SHA-256:F32EC578A85CF99B4D1ECFA478499889F4155CA7B3B2920094F95DFA30516F26
                                          SHA-512:A3EB4CAEF5B5B1056AAB3ED87022A86CA662668BB8B73DEA2799908B47C2E53C68859567B33AB1B66A822CC2879BE3A834973EB2B01DB25125EE322473C4BC60
                                          Malicious:false
                                          Reputation:low
                                          Preview:// Before modifying this file, rename it 'global_shift_list.txt'..//..// You can place here sets of shift vectors and scale factors (associated to a name)...// Each set (name) will be displayed in the combo-box above the shift fields of the..// "Global Shift and Scale" dialog (this dialog typically appears at import time while..// loading a file with big coordinates)...//..// All values are separated by a semicolon character (;):..// name; shift(X); shift(Y); shift(Z); scale;..//..// Example:..//..// Ankh-Morpork ; -621900.0 ; -5114400.0 ; 0.0 ; 1.0 ;

                                          C:\Program Files\CloudCompare\is-GB8D9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):4450544
                                          Entropy (8bit):6.458222828027988
                                          Encrypted:false
                                          SSDEEP:49152:+RYsIZfypUacEN7z1NR6JYL911cdl40pPQKE30tBuQS6BqL902zJAysI6maHmbM9:YYsI5xKZ4JxsvAI6xHEMb5Hs9d
                                          MD5:384349987B60775D6FC3A6D202C3E1BD
                                          SHA1:701CB80C55F859AD4A31C53AA744A00D61E467E5
                                          SHA-256:F281C2E252ED59DD96726DBB2DE529A2B07B818E9CC3799D1FFA9883E3028ED8
                                          SHA-512:6BF3EF9F08F4FC07461B6EA8D9822568AD0A0F211E471B990F62C6713ADB7B6BE28B90F206A4EC0673B92BAE99597D1C7785381E486F6091265C7DF85FF0F9B5
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................~..........................................3...F..3......3.|....3......Rich...........PE..d...pO[a.........." .....X#..d!.....,.........................................E......D...`...........................................<......z=.|....pD......@B.0.....C.......D..t..x.$.T.............................$.8............p#.8............................text...bW#......X#................. ..`.rdata...-...p#......\#.............@..@.data.........=.......=.............@....pdata..0....@B......6A.............@..@PyRuntim`....`D......HC.............@....rsrc........pD......LC.............@..@.reloc...t....D..v...VC.............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-H56RN.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3778688
                                          Entropy (8bit):6.381493838760625
                                          Encrypted:false
                                          SSDEEP:49152:46SRSFneW0gGoV8tBB0pgRQBPMmS9BQRCSY0uKBY9zwaSNtASu58JfX/MkjX9F:XFFjByQET9iu8PXjT
                                          MD5:EB6EE54899E763C0C32625847735CB42
                                          SHA1:98DB0FC03A7BBD71901770F9637AA3EB57DC05D9
                                          SHA-256:0FA8364972240178560821D374BDA70A8A5E5B2AE05374E258C9599D8DF4A554
                                          SHA-512:E205199D0AE9A68BDD8E26809D5CC6C8360EA00D9C94A6B53F1B48A6EEC7DF7672062B4A9BF8A3A890D8053E66241464D099520841F647EFD98862AE3AE4AAFC
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......k../~../~../~..&./.#~..}...%~..}...+~..}....~..}...'~..d...+~......~..",a.-~.....%~....."~../~..Up.....u~......~...C..~......~..Rich/~..........................PE..d.....g..........".......!........... ........@..............................9.....D.9...`...........................................3.\X....3.......8.......7.......9..&...`9..i...+.......................+.(.....+...............". p...........................text.....!.......!................. ..`.rdata..b/...."..0....!.............@..@.data........@7..f....7.............@....pdata........7.......7.............@..@.rsrc.........8......x8.............@..@.reloc...i...`9..j....9.............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-HHJ51.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1304064
                                          Entropy (8bit):6.3870556331947235
                                          Encrypted:false
                                          SSDEEP:24576:hgar8jZShGQRO0mENxPM6LQtscfMlYiupJjpm:Lr8jZdELPM3jfMlYiuzpm
                                          MD5:CC559D3B8F1F0691DF94A76C5E869D16
                                          SHA1:4CA778423A255EA2F2269E18DDD7AE449E4FB32F
                                          SHA-256:E3DE026BF30FD187C3A893B8489CCD49C265F0747D38BCE0C94782A622D2B9B2
                                          SHA-512:C40516DBAD6E3EC3110A5A078F70F8C525C08CE45F159C1F83D2AC259BD74050A516D7808ECDDD2175343DB6D6945C4286B7FD32EE1F2B96C84A7BE41A2D9A04
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........UbP.4...4...4..e....4...e...4...e...4...e...4...e...4..&....4...4...4...f...5...f...4...f...4...f...4..Rich.4..........PE..d.....T.........." .....|...p...............................................@............`..........................................3..........P............@............... .........................................p............................................text....z.......|.................. ..`.rdata..<R.......T..................@..@.data....C.......:..................@....pdata.......@......................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-HTR5G.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):324096
                                          Entropy (8bit):6.3377399185673235
                                          Encrypted:false
                                          SSDEEP:6144:FBgyWUu11adMCSxB8zPMc4UvH1gjSnSapcWAAEJTfSQSg913ieVSuQMsPcZwf:FBgXj11tC/PMcWapcbAoTfv130b5f
                                          MD5:8B7BB6C392EAE81F3B4F0A5638BD50E3
                                          SHA1:54AC8ACA96234D59BDC8AE2F800185E48F50CAAE
                                          SHA-256:B85A49A23BD8A554F7ED475A8817C5E027853A86B3D94BA4DCF4EFB9109D2579
                                          SHA-512:87B8E4CE2F414CCA07AF6EA10337A04D37C8243BF62BF092812A5406A546AD92F08EC572BE8D683598C8EC1DFD1AA55D50C17BA80243469833D896DDA1DDE70C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...in.Zin.Zin.Z...Zan.Z/?.Zkn.Z/?.Zkn.Z/?$Zen.Z/?%Zkn.Zd<.Zon.Z...Zln.Zin.Z{o.Zd<$Z.n.Zd<.Zhn.Zd<.Zhn.ZinSZhn.Zd<.Zhn.ZRichin.Z........PE..d...!..T.........." .........<......\........................................@............`......................................... ...c............ ...........3...........0.......................................t..p............................................text.............................. ..`.rdata..............................@..@.data... ...........................@....pdata...3.......4..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-I8O1V.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):33792
                                          Entropy (8bit):5.544702627865242
                                          Encrypted:false
                                          SSDEEP:768:TLAqRG/xoIUEVsaZ69deagBin87Z2c4AbGP:TK/xotEVtZ69kagBin87Z2cfGP
                                          MD5:C960C48DE097FD3C2BA3B43C095CE388
                                          SHA1:A4551EEF2EBA4A4EE4A6EC83A5953F63CE3BE0C6
                                          SHA-256:1D0F01ED76CE83AC277BF2260575FE47F3910E2CBA4C5A26F90F811E902962D9
                                          SHA-512:A3ACD232B28922C4C40A9BE09C002445E6384119A2937361E1C7ADA577924C6CB7B40053A06D9F433CE5660AFEFF5EC23853304C1102BAA45ED8B49583461183
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........G.............................................................................8......8......8.l.....8......Rich............PE..d....2Kg.........." .....4...R......L4....................................................`..........................................m......8x..................d...................0\..............................P\...............P..p............................text....2.......4.................. ..`.rdata..&<...P...>...8..............@..@.data...8............v..............@....pdata..d............z..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-I9FFI.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):11594752
                                          Entropy (8bit):5.8614931256398926
                                          Encrypted:false
                                          SSDEEP:49152:NNzpamKhw2a6O4ZycLPqxfXj9fKtYdOMiyys0dRssdkVEMNMndxm7mBU0915ROHU:ocdiDDMEf0Ff7IMHSdj
                                          MD5:7EF9CF9E7604E9E4728E63A85C9F5BEC
                                          SHA1:89BDDE3F68645FB7BE3F21A970B6E3AF8C750704
                                          SHA-256:66F741623E01E7204664D58750A44100D5342BCA0706EA58396DE925AE3041EB
                                          SHA-512:74BF0C9884C02B9827E1D80067535C1039A38C6DBE64695ABFF6C4CC10738A951FE72F7069376594BABA26B468D6046DE1A1650D4CA7D985AA77CB3C1B46BA90
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.<.^.o.^.o.^.or..o.^.o...o.^.o1..o.^.o...o.^.o../o.^.o...o.^.o...o.^.o.^.o._.o../o.^.o...o.^.o...o.^.oRich.^.o................PE..d..._`.V.........." .....8H...h.......H......................................P............`..........................................J..X.....................T............@..h...`VH.8...........................p.H.p...........................................text...96H......8H................. ..`.rdata......PH......<H.............@..@.data...1.d...K...d...J.............@....pdata.............................@..@.idata...A......B..................@..@.reloc.......@.....................@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-ING89.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):48640
                                          Entropy (8bit):6.318600850824361
                                          Encrypted:false
                                          SSDEEP:384:OAsSKWgciQhMwpuEEXd6erEvCZ9dWVQlmg5EP+Bs4mw0z4KVX055VuPXkr/YuPCQ:j2sbAQE7WSgPws4mn5ahJ0yzK777cF
                                          MD5:4689FC376ACE9A9BD7C9B313850EC0BF
                                          SHA1:7E9C5BF39F0AF67983433F2459B08548C7542338
                                          SHA-256:E221514B68083A2F57B8441433A197A07D569F4038D8F0BD68F1734D95F9A456
                                          SHA-512:CA61E3BA794CEF6B53C06D34B17770363BC4FD9A436EF23111190321ABE0E1D606891B11C13159D6B3685385B09511E3A2FED2532B991CFC7883E8B0061C243F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...5r..d...5p..d...5O..d...5N..d..d.d..d...d...d...6O..d...6s..d...6t..d...6q..d..Rich.d..................PE..d......T.........." ................h.....................................................`............................................(.......<....`.......P..T............p.. .......................................p............................................text............................... ..`.rdata..............................@..@.data..............................@....pdata..T....P......................@..@.rsrc........`......................@..@.reloc.. ....p......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-KFN4K.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2697456
                                          Entropy (8bit):6.294325960113847
                                          Encrypted:false
                                          SSDEEP:49152:tYFO3e6YpwBhqben1GtA+6pf2v7+zxUZUM/SRCJg7E661CebH2DOz7JsFWRZ2:AUMyDO3Ji5
                                          MD5:17571E2B575C43E910C8308A447EFAA5
                                          SHA1:EE605C41D4F11F2E6C489F613D7907CD442F0813
                                          SHA-256:8A7DF7EA0CD8EAEB38D354E3F0B1118A530580F23ED933DDCF28547701F72C55
                                          SHA-512:A3F4F9B5FC3B25C8082B85B06858DEED2AC24111214317F263A4D51F2DB15522C7EAF12A4CBB5882406134135D8F1F771D8ACD4FF86F6B87CC1CE88772EC5154
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........H..&...&...&.....&...#...&..."...&...%...&...'...&...'...&...'...&...'.R.&...#.s.&...&...&......&.......&...$...&.Rich..&.........................PE..d....d._.........." .........,......\,........................................).....}.)...`................................................h........P).......(.D.....)......`).X...............................(....................0...............................text............................... ..`.rdata..$:...0...<..................@..@.data...x....p'......R'.............@....pdata..D.....(.......(.............@..@.rsrc........P).......(.............@..@.reloc..X....`).......(.............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-KL3UM.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3783408
                                          Entropy (8bit):7.082603044017435
                                          Encrypted:false
                                          SSDEEP:49152:DvGbhb3gARA+DORgiDVVqWRcBP3Par9P8jtP8T4sLrM5up7PA:64NhRcBP3Par9+U0uhA
                                          MD5:2884F95C5C51B793A16C822F6865D468
                                          SHA1:40A6614137E528E76C78900E234AB31F5A76AF3E
                                          SHA-256:A58CF1A96B6073777C8C25C162692F4706B95428AD98A9BAD9D08E697E204125
                                          SHA-512:FCB46F404C405C5EEC13F223DB59B5144B4F4E6DE6777C671A5164283D278A13571472E35055A93BBC902933042AF894D6BBF2A1932BACBBB12D510403D2CEA5
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......uA.1 ..1 ..1 ..8X..9 ..cH..9 ..cH..2 ..cH..- ..cH..5 ..jH..3 ..I..8 ..1 ...#..I..+!..I..0 ..I~.0 ..1 ..0 ..I..0 ..Rich1 ..................PE..d....d._.........." .........R.......B....................................... :......V:...`..........................................b0..&....3.......:......09.\.....9.......:.D...0.+.....................P.+.(...P.+.................`............................text.............................. ..`.rdata..2...........................@..@.data...X.....4..P...t4.............@....pdata..\....09.......8.............@..@.rsrc.........:.......9.............@..@.reloc..D.....:.......9.............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-L5GPO.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):70656
                                          Entropy (8bit):6.427052922078226
                                          Encrypted:false
                                          SSDEEP:1536:NAtEBVLW449/7DU6BNNiWrnToIfCIOvIOwIY/ky:yKVLQxDRrcWLTBfghwIY/ky
                                          MD5:977D5FD0F1CE33492336D6D48E4BEF6D
                                          SHA1:575C7AC6104D3E000B091F8AF343E822DBC53931
                                          SHA-256:41775B504663392F630CDBA675894A0A65A9C09616D5738B2DF98AEE329F0AF7
                                          SHA-512:11C4EA625D74D55F1926DC237436784577B8F82523A996843A0357156CCBA6D46EDA56928FF7AC82ED59BD8C131F96A1691D90B3997080B442AADA286DDA2C27
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U-.X4C.X4C.X4C...Z4C.X4B.v4C..e..[4C..e..Z4C..e..S4C..e..Z4C.Uf..T4C.Uf..Y4C.Uf..Y4C.Uf..Y4C.RichX4C.................PE..d...?tWV.........." .........p...............................................`......:.....`......................................... ...].......<....@.......0...............P..`.......................................p............................................text............................... ..`.rdata..,W.......X..................@..@.data...0.... ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc..`....P......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-L7EPR.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):543027
                                          Entropy (8bit):6.081562472859807
                                          Encrypted:false
                                          SSDEEP:6144:SS5KjgGnpG7wZAF86y2iLmKiXc2HsvOB/2FV2/vF98G5hSkZqBG1N64vdw:9AgMVwPy25G2j/2FVuvUY0yN64vdw
                                          MD5:5427B1D1E958FE77B18C6EA992B1BCD6
                                          SHA1:E3D8946C366402C7FDE6053DA666F1E066E5A7D7
                                          SHA-256:FEC43CB18CE0EC8A5DD6AD1DB745747167310CCB92B5ACFF0D445A8B3013F009
                                          SHA-512:FD47E681ABA34A0CA4A9E6300905834163257E3BF11EC4A214231DD0FCA85E023DE0285151B5DEE835EBD9A61EF39E8E49B0EE55BC0C77AEBC9F601EF3ADD799
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... .oM.h........& .....j.....................j.............................0......l......... ......................................`..M7...........................................................................................................................text....h.......j.................. .P`.data....z.......|...p..............@.`..rdata..0I.......J..................@.`@.bss.........P........................`..edata..M7...`...8...6..............@.0@.idata...............n..............@.0..CRT....X............x..............@.@..tls....H............z..............@.`..rsrc................|..............@.0..reloc..............................@.0B/4....................................PB/19.....L..............................B/35.....^..............................B/47....................................B/61..................&.................B/73.....

                                          C:\Program Files\CloudCompare\is-L996V.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):321008
                                          Entropy (8bit):6.4037799339163355
                                          Encrypted:false
                                          SSDEEP:6144:dtqkKC7BjQV5eR1b+yRWsJQnNfckNI+STEDC4nkml+T/6qhdDqvJbb9fv:HRFe5en+gWUCNTF9fv
                                          MD5:B1F29EA399C173C50C64FFCA5F13DC7F
                                          SHA1:4A039AFF59F34BAE66AA24A0C349059795BF13B2
                                          SHA-256:0E179470446A14C3706182D88FC95E5C066957C3752DEFDD6D3649AE877C87A2
                                          SHA-512:0B95E7209CDBB1E977860E8A41E73C5232E682EF111A34A57762FA6BC83D8C3126BCD38069E1D8FB72703F356608F98C103717377493D41E0F4EB5CAA024D79B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..{...{...{...r.w.s......y...o...y......m......s..............|...{...W.......n.......z.......z...{.s.z.......z...Rich{...................PE..d...2._.........." .....Z...v.......\..............................................X$....`..........................................6..........................0-..................H...T.......................(.......0............p..p............................text....X.......Z.................. ..`.rdata..4#...p...$...^..............@..@.data...8...........................@....pdata..0-..........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-LJVC9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):18416128
                                          Entropy (8bit):6.683302926545402
                                          Encrypted:false
                                          SSDEEP:196608:zMYiFS3ke63qeMs+eBH0Xbr8EYriPyv81djl1xV57VB:zMa3kLBH0rr8EYriqv4dRN5f
                                          MD5:36A0558B4768FC872970E6DF3D80E344
                                          SHA1:567EB56023D3CE1676B30F1087C3BB6182CFDAB0
                                          SHA-256:8154BAA7A6C1DFEAD2CB0EB27FEAF9568BD2AAABA0F53A6AAEE75705BF807E3A
                                          SHA-512:32B0EFD65869A622AAF12451D234A49DE4B159B07297813A72B9019BB56EF0D990C9308630262C5FB4C73455A04B0CC46CB81B828BA627B93B120DBF3283FB3C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*............0.........................................&.....\.....`... .......................................#.(.....#..z....$.........@.............$.|h..........................@<..(.....................#..............................text..............................`..`.data...............................@....rdata....9..P....9..6..............@..@.pdata..@...........................@..@.xdata..H~...........z..............@..@.bss......... ...........................edata..(.....#.....................@..@.idata...z....#..|..................@....CRT....`....`$.....................@....tls.........p$.....................@....rsrc.........$.....................@..@.reloc..|h....$..j..................@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\is-LLTHK.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1674992
                                          Entropy (8bit):6.693921548534279
                                          Encrypted:false
                                          SSDEEP:49152:v0BOonBew9Ic4GrEoh9ald5RYaHOakyGCgKqHUWleD/SSrWZp:MnnrmvzgAXgp
                                          MD5:8AE454F4BF46749D2E326E66934BFC39
                                          SHA1:8998065CC8331982EB1DC7FA369BA366E114B302
                                          SHA-256:3CA6E5F349545FE2F7A11617CB082F4B60EF373A2702FA24CF4C2F88D8C5EA8A
                                          SHA-512:CBC35391B1C3FF074111B565BCF2CCE0D6C2C010FE2B4CE245531E33702F4B0F9538CB4B23AFBF632B1A18A0C176305491258DD678D08605957D0186DE38C98B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................!%E.............................................L.....o.................}...................Rich............PE..d....c._.........." .....4...L......ps...............................................?....`..........................................3...K..T........................r..........l... ;......................@<..(...@;...............P...............................text....3.......4.................. ..`.rdata...^...P...`...8..............@..@.data....A.......0..................@....pdata..............................@..@.rsrc................\..............@..@.reloc..l............b..............@..B........................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-M0CV0.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):943104
                                          Entropy (8bit):4.884100718195113
                                          Encrypted:false
                                          SSDEEP:6144:GNVEvTyvUpeL7/Al2ntAFXgltlFgj5KsOHhTmkijOcprzyB61vdq0umlKnSDpd:GNOTyvTX/AxGlUK1KkWyB61FTuEK4
                                          MD5:799A5FF9D9919DB09A70ACBA8DA22E3F
                                          SHA1:737A8000644C5C59B8E609DCC7C87B807C4D70FB
                                          SHA-256:0C8F98093EADAA3EFBC4DEF4E047B61BCE3262A395F9214D574F51DDDFDA2E4E
                                          SHA-512:129F35F37874C228A74ADA9C429F303E1EC75E3701B085B8D7D9A360D6B525B93D40D46FA70795176625295DB19DA5EA67E4D07920C86F86B6702F0965B71981
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .^rd.0!d.0!d.0!.K.!g.0!"..!f.0!"..!f.0!"..!h.0!"..!f.0!i..!b.0!...!g.0!d.1!..0!i..!:.0!i..!e.0!i..!e.0!i..!e.0!Richd.0!........................PE..d...0..T.........." .........J...... .....................................................`..Zb.....................................@...S,......x....@...........[...........P...0..................................@7..p............ ...............................text............................... ..`.rdata..T.... ......................@..@.data...............................@....pdata...[.......\..................@..@.rsrc........@.......0..............@..@.reloc...0...P...2...2..............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-M0H8O.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):627992
                                          Entropy (8bit):6.360523442335369
                                          Encrypted:false
                                          SSDEEP:12288:dO93oUW7jh6DN0RUhsduQjqDZ6X/t5mTOKGmJ7DseBiltBMQEKZm+jWodEEVoFt:s3oUW7jh6DN0RUhsduQjqDZ6X/t5mTOo
                                          MD5:C1B066F9E3E2F3A6785161A8C7E0346A
                                          SHA1:8B3B943E79C40BC81FDAC1E038A276D034BBE812
                                          SHA-256:99E3E25CDA404283FBD96B25B7683A8D213E7954674ADEFA2279123A8D0701FD
                                          SHA-512:36F9E6C86AFBD80375295238B67E4F472EB86FCB84A590D8DBA928D4E7A502D4F903971827FDC331353E5B3D06616664450759432FDC8D304A56E7DACB84B728
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..r$..!$..!$..!.O.!&..!-.|!2..!v.. '..!$..!...!v.. '..!v.. o..!v.. j..!v.. %..!v..!%..!v.. %..!Rich$..!................PE..d.....0].........." .........`...... ...............................................T.....`A............................................h....................0..t@...T...A..............8............................................ ..........@....................text...<........................... ..`.rdata..<.... ......................@..@.data....;..........................@....pdata..t@...0...B..................@..@.didat..h............B..............@....rsrc................D..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-MKFA9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):235711
                                          Entropy (8bit):4.881009157481132
                                          Encrypted:false
                                          SSDEEP:3072:VinPJqOuT19YK0ooi4M5Np+FrqzDnBUMvGnkKbAeLqHjawFUPM8CVuH3H32p:L193ou8rqzDLvGxAeODacNTyG
                                          MD5:8FA735FC69E7AE5D70271BA457633099
                                          SHA1:5DFA18BA94398B07728443A951B9BE99857254AB
                                          SHA-256:00A8F881A71EB2B13E18C5D6B1795A7D0D0A1B7A8E7D93753BA843D0D859555F
                                          SHA-512:050228D412EFF4FED36F8EF7D972DEF23EB369139CAB692AEFC83E83A2654C7E5D5E737F8F2160C13E93C8782C9C5283BD4B5D05975BFBAA4684DA6123ED410F
                                          Malicious:false
                                          Reputation:low
                                          Preview:CloudCompare Version History..============================....v2.14.alpha (???) - (??/??/202?)..----------------------..New features:...- Edit > Color > Gaussian filter...- Edit > Color > Bilateral filter...- Edit > Color > Median filter...- Edit > Color > Mean filter....- to improve coloring by applying a color filter.....- New Command line options....- New command -FILTER -RGB -SF {-MEAN|-MEDIAN|GAUSSIAN|BILATERAL} -SIGMA {sigma} -SIGMA_SF {sigma_sf} -BURNT_COLOR_THRESHOLD {burnt_color_threshold} -BLEND_GRAYSCALE {grayscale_threshold} {grayscale_percent}.....- command arguments with a dash can be in any order.....- -RGB runs the filter on color.....- -SF runs the filter on the active scalar field.....- -RGB and -SF can be used at the same time, otherwise at least one of the 2 options is required.....- -MEAN|-MEDIAN|GAUSSIAN|BILATERAL......- specifies the filtering algorithm to use......- required......- only one should be set (However, if multiple are passed, only the first one will

                                          C:\Program Files\CloudCompare\is-N64S1.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):7008240
                                          Entropy (8bit):6.674290383197779
                                          Encrypted:false
                                          SSDEEP:49152:9VPhJZWVvpg+za3cFlc61j2VjBW77I4iNlmLPycNRncuUx24LLsXZFC6FOCfDt2/:BJZzI1ZR3U9Cxc22aDACInVc4Z
                                          MD5:47307A1E2E9987AB422F09771D590FF1
                                          SHA1:0DFC3A947E56C749A75F921F4A850A3DCBF04248
                                          SHA-256:5E7D2D41B8B92A880E83B8CC0CA173F5DA61218604186196787EE1600956BE1E
                                          SHA-512:21B1C133334C7CA7BBBE4F00A689C580FF80005749DA1AA453CCEB293F1AD99F459CA954F54E93B249D406AEA038AD3D44D667899B73014F884AFDBD9C461C14
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......QH^~.)0-.)0-.)0-.Q.-.)0-...-.)0-.F4,.)0-.F3,.)0-.F5,.)0-.F1,.)0-.Y1,.)0-.B5,.)0-.B1,.)0-.)1-m,0-.Y4,.)0-.Y5,|(0-.Y0,.)0-.Y.-.)0-.).-.)0-.Y2,.)0-Rich.)0-................PE..d....._.........." ......?...+.....X.?.......................................k.....R.k...`.........................................pKK.....d.e.|....`k.......g.......j......pk..6....F.T................... .F.(.....F.0.............?.p+...........................text...2.?.......?................. ..`.rdata...z&...?..|&...?.............@..@.data....o... f.......f.............@....pdata........g.......f.............@..@.rsrc........`k.......j.............@..@.reloc...6...pk..8....j.............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-N8BL5.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2117872
                                          Entropy (8bit):6.289461121862461
                                          Encrypted:false
                                          SSDEEP:49152:MQ1PhsCh07gUJLD1y9Ez64XBOMSeMxHwdeLz/4pBbfqR+z6Yb7vQ1f5Ppm7HcIhp:w9Nr
                                          MD5:FEDAE2A00AEAA26418123C7607F8913D
                                          SHA1:112E8FEBD96880D7DF3EBD034AFEBF52A905B25F
                                          SHA-256:A96F624E8AD557F28A35C2B08CC238F4760FF73117932C473EB6AC94359B4D00
                                          SHA-512:10BD032039CBF8427B8FA97860D226360C10F1419AA48720474F49DD2BDB7CD5972A2C776CFA369D429FE957BE617A01E7999ABBE9C6E585BDFB7B9F005BBBCE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................V...............................5........ ..5......5.....5.:......R....5.....Rich...........PE..d...Xd._.........." .....,..."................................................ .....p.!...`.........................................`5...h..X...|....` .........(....4 ......p .....`...........................(....................@...............................text...@*.......,.................. ..`.rdata.......@.......0..............@..@.data....l.......P..................@....pdata..(............F..............@..@.rsrc........` ....... .............@..@.reloc.......p ....... .............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-NHH1D.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2326768
                                          Entropy (8bit):6.265149852539151
                                          Encrypted:false
                                          SSDEEP:24576:yPf0xVJnPKKuk6Fcg0UR/GHLv/8Cncx60IBSdDq75z8KIVZDba7JpNVs2SRPX:yPoJCKuJFsUR/m09IB8cuKIL/QJpNYR/
                                          MD5:FDDCFABB82A4BDF771B9C8504DEF8211
                                          SHA1:FA28EAF5D24A510A53CA3739BB533A5EBA200FF3
                                          SHA-256:B0F29826C1EC3AC4C8FB781D153084018ACE637FB7085FFA525483BCBF144FDE
                                          SHA-512:D3DFBF7524F2F0A4597FCE9E1D59AA393485FE1D0DF400DA176BE4D76C628D1D47C2AE9038B908BF6C487B4F66083E586C3AA1023D6D16F4CCDC270C272415A8
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d>.. _.. _.. _..)'a.(_..r7..(_..r7..#_..r7..;_..r7..$_..{7.."_...6../_.. _..[...6.._...6..!_...6..!_.. _e.!_...6..!_..Rich _..........PE..d...1d._.........." .....z..........Xw........................................#......j$...`..............................................>...=!.,.....#......."......d#.......#.................................(.......................P$...........................text...vy.......z.................. ..`.rdata...............~..............@..@.data....Y...p"..P...Z".............@....pdata........".......".............@..@.rsrc.........#......N#.............@..@.reloc........#......T#.............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-NJKK5.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2488832
                                          Entropy (8bit):6.160943225546191
                                          Encrypted:false
                                          SSDEEP:24576:F0/+sQ6I4bzQrzL7f2DdjAsWpCckWhfIHm5b4pgDpxiH+ROm:Q64bUnLb2DTWpCck7m5ZpseRt
                                          MD5:38A03AED710AD5C471F7864E05CBA4E9
                                          SHA1:E1A0FD42A0BBF5F7F22F9BCCE5C9BE1F4EABB221
                                          SHA-256:D8690C5E0EA25CA2AB480BCEA830CAAF07CA5BDCB5D81FDF6C5B36ACDEEDF124
                                          SHA-512:B66B526148E24DF3C8CD7150DEBF83D1D861939866B00B186759F26C75E187257AEFB25D7FAC44788CE04C54981381441C64BE141DA520BAF1EDEF9E9B5C7C11
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|P....................:'..............................yx.....................................................Rich............................PE..d...#:.X.........." .....J...........d.......................................0&.....]\&... ..............................................\....!.P.....$..<....#...............%.\7...d..8...........................PA..p............`..x............................text....I.......J.................. ..`.rdata......`.......N..............@..@.data...(.... !.......!.............@....pdata........#.......#.............@..@.rsrc....<....$..>....$.............@..@.reloc..\7....%..8....%.............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-NNIFO.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3815664
                                          Entropy (8bit):6.407256607167561
                                          Encrypted:false
                                          SSDEEP:49152:+/uSVZLrvrTX30234JyyeZBzswYE9/EtYqJ9er/2CFCpJq:+/FpZBzOmr2CMpc
                                          MD5:9B65E7DC2CF1D85C62CF858E45B74E79
                                          SHA1:9ECFABE63716F9F270F2DC15BA2DB189BDAE7ED9
                                          SHA-256:9628E99890E59FDC11A6AA6351CEE7EFCC0AB96DB1A5A75B0EB986A5A64D14ED
                                          SHA-512:EC0F1B3D537AF6C7FD3C75E89A187BAAA15700E9A35D871636AED4B202C5AE7F800174EB2F3262ED90CEA8450ED15EADB69D89709F339C02610DEC60689361B2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.m.....................F.......F.......F.......F.......O.........................y................................Rich............PE..d.../d._.........." ......*..........u'......................................`:......0;...`.........................................pV3..#..|y7......0:......09.(.....:......@:.X...@0,.....................`1,.(...`0,..............0*..&...........................text...6.*.......*................. ..`.rdata..J....0*...... *.............@..@.data...0`....8..T....8.............@....pdata..(....09.......8.............@..@.rsrc........0:.......9.............@..@.reloc..X....@:.......:.............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-NQS8E.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):33264
                                          Entropy (8bit):6.210822520849061
                                          Encrypted:false
                                          SSDEEP:768:zSv+K3b4/Cfg+E2wkjk/+ZW8DT92r+dDGMUf2hKd:Wvm6XS/8FDTsr+PUf/d
                                          MD5:7E40B0FAA08E8F2AD78BE6698225E3E4
                                          SHA1:03332C56E4DCFEFC33BB731133BD3EF71C4CA9EC
                                          SHA-256:2212E66EADD559705E244409354ED264C286A3CAC7A3E511737C3D31E2A0F4AE
                                          SHA-512:A4C545A8B8DAAF6B4321BB51745454B77D1F591C7131F19FDD40BACD943D5074886037CEAE19E7F1515313B0F990E42A83520957CEDF056A39E1EC1E4AFD7272
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................o.....8..............8.......8.......8.......u...............u.......u.......u.........k.....u.......Rich............PE..d...G._.........." .........:.......0....................................................`..........................................N......hW..................h....f..........H... C..T............................C..0............@.. ............................text...}-.......................... ..`.rdata..."...@...$...2..............@..@.data........p.......V..............@....pdata..h............X..............@..@.rsrc................^..............@..@.reloc..H............d..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-OJOL7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):10633328
                                          Entropy (8bit):6.192336081640698
                                          Encrypted:false
                                          SSDEEP:98304:H7R37atBP0I6QGPuFnIG0rXM6xYQtDgLtRtVnnsdG:d7atBP0I6QGTGeM6xYR3nsdG
                                          MD5:6235580B1B5B7BE6CC64FDA77B06AEB8
                                          SHA1:F91D2194F25522D7DF16E08595FA9F78F2E11AFC
                                          SHA-256:B171C7FECAB2B4A717B5D6157A74069F45396958F60C3F892D0431E96D6E95A1
                                          SHA-512:629EFA682B08BCF1BFE27A496DCD43F00007BC160A96C520FC71B61BF7F668F7BCC4CC08E3A02367B65710E080948697FA7D7FCD5916C48B18834A243CB23D0D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g....p...p...p..~...p...q.H.p.CH...p.....p...4.p...n.p.....p.....p.....p.Rich..p.........PE..d.....Zg.........." ......z...'......uM...........................2.................U.....@.........................................P..H7..l..d.......................p......@e.............................(.....................{. ............................text.....z.......z................. ..`.rdata........{.......z.............@..@.data...D.... ...P..................@....pdata...............N..............@..@text....q....P.....................@.. data.....A...`...B..................@..@.tls.................8..............@....rsrc................:..............@..@.reloc..F...........@..............@..B................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-P0EIB.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):471792
                                          Entropy (8bit):6.133406334839098
                                          Encrypted:false
                                          SSDEEP:6144:/C9mSwGqUtU6NFPIOWIhz8qtQej4gFlShFXA58+eIVPV/RrQp8XWLSZbRc:/2wGqKUyZ1zeYMKB+
                                          MD5:81C31E22F2EA4AD7D6512A00E276EAC4
                                          SHA1:7D95F2E547D177BA258E75E29D9D2B0C4C9A9287
                                          SHA-256:088446600B5947744066887DAF19E2562DCCA797A7E83F34BC474645C57DEF7E
                                          SHA-512:FDA5D99B69551755663540022F0E0468BEB289683F35D300D809DC35A2C9A63447AE24FE335DFEFB9DD6561B1917377C9525D94181F2F0E81462F045844497F2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................$.......................................................".............H....... .............Rich............PE..d....d._.........." .........................................................`............`.........................................`.......X........@...........,...........P..................................(....................0...............................text............................... ..`.rdata.......0......................@..@.data....5.......*..................@....pdata...,..........................@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-Q2JU3.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):3778688
                                          Entropy (8bit):6.381493838760625
                                          Encrypted:false
                                          SSDEEP:49152:46SRSFneW0gGoV8tBB0pgRQBPMmS9BQRCSY0uKBY9zwaSNtASu58JfX/MkjX9F:XFFjByQET9iu8PXjT
                                          MD5:EB6EE54899E763C0C32625847735CB42
                                          SHA1:98DB0FC03A7BBD71901770F9637AA3EB57DC05D9
                                          SHA-256:0FA8364972240178560821D374BDA70A8A5E5B2AE05374E258C9599D8DF4A554
                                          SHA-512:E205199D0AE9A68BDD8E26809D5CC6C8360EA00D9C94A6B53F1B48A6EEC7DF7672062B4A9BF8A3A890D8053E66241464D099520841F647EFD98862AE3AE4AAFC
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......k../~../~../~..&./.#~..}...%~..}...+~..}....~..}...'~..d...+~......~..",a.-~.....%~....."~../~..Up.....u~......~...C..~......~..Rich/~..........................PE..d.....g..........".......!........... ........@..............................9.....D.9...`...........................................3.\X....3.......8.......7.......9..&...`9..i...+.......................+.(.....+...............". p...........................text.....!.......!................. ..`.rdata..b/...."..0....!.............@..@.data........@7..f....7.............@....pdata........7.......7.............@..@.rsrc.........8......x8.............@..@.reloc...i...`9..j....9.............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-QD77L.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):278016
                                          Entropy (8bit):6.002198044760076
                                          Encrypted:false
                                          SSDEEP:3072:0YFEIZkLcSqMJUGotgtsKhXQsYxC50Xj1AWOAPEd:zuLcScGmNlC50Xj1AWOAPE
                                          MD5:5F0D90D65156DB90A2B5D0EC4C3FCFF8
                                          SHA1:D4341CA5CF262DE98EC772C770FA92F4B8E8A9F4
                                          SHA-256:EF215DA0B20F6F46B8FD2D7A557319EB30A1A2B1031D3E4C0B37B1AA4FAC58B4
                                          SHA-512:7C56D8A8FE5890C68F68E685B48E3D956159768FAAF7A27B701A5D62B5F55995E80519F200D8C11B8886165A67961545015438B1B48BA9B9139B4DF6CA6A8FDF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#.{.#.{.#.{.E..".{.e...".{.e.....{.e...'.{.e...'.{..... .{.....!.{.#.z..{.....!.{.....".{.....".{.....".{.Rich#.{.........................PE..d.....T.........." .................T....................................................`.........................................`..........d....`.......0..T-...........p..........................................p............................................text.............................. ..`.rdata...R.......T..................@..@.data...P...........................@....pdata..T-...0......................@..@.rsrc........`.......4..............@..@.reloc.......p.......6..............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-R0BP9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):102384
                                          Entropy (8bit):6.0152637062152445
                                          Encrypted:false
                                          SSDEEP:768:xivYT8++UTS1jFHI4XV+2my6cg4ydlgW935aoQL4AikNQsLedDGuUf2hI:YL3b1FHR+U6p4KlT9ESAimFLeFUfV
                                          MD5:AB650B8F02BF49D2FA1C015B8F9B5EE8
                                          SHA1:02A02BD474948E110FA8B25E21E3898776CACCA8
                                          SHA-256:32149ACD851FC37BDC5D1C39E84CCDB9AE4ECAC103BEC628E9C29450381C8248
                                          SHA-512:2A5C7AC3EB09B6F3CCCE3E150A84094CBA2EC1B3CE518F78CEBCE93564E505E42E609B338E9F2D0AD5BAC1A44D328CAA9E20D9082E8C46C988ADC9F4E256CAAD
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\e!...O...O...O..|....O..kN...O..oN...O..kJ...O..kK...O..kL...O.tN...O...N..O.tJ...O.tO...O.t....O.......O.tM...O.Rich..O.................PE..d...<.._.........." ................0..............................................._@....`..............................................0...N.......................t..........x.......T.......................(.......0............................................text...{........................... ..`.rdata..............................@..@.data...8....p.......X..............@....pdata...............^..............@..@.rsrc................l..............@..@.reloc..x............r..............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-R0L87.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5498352
                                          Entropy (8bit):6.619117060971844
                                          Encrypted:false
                                          SSDEEP:49152:KO+LIFYAPZtMym9RRQ7/KKIXSewIa/2Xqq1sfeOoKGOh6EwNmiHYYwBrK8KMlH0p:IGoKZdRqJD10rK8KMlH0gi5GX0oKZ
                                          MD5:4CD1F8FDCD617932DB131C3688845EA8
                                          SHA1:B090ED884B07D2D98747141AEFD25590B8B254F9
                                          SHA-256:3788C669D4B645E5A576DE9FC77FCA776BF516D43C89143DC2CA28291BA14358
                                          SHA-512:7D47D2661BF8FAC937F0D168036652B7CFE0D749B571D9773A5446C512C58EE6BB081FEC817181A90F4543EBC2367C7F8881FF7F80908AA48A7F6BB261F1D199
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..................I.......I.......I.......I...........................................9.................................Rich............PE..d....._.........." ......3..P .......3.......................................T......MT...`.........................................0.D.P^....L.h....pS......0P..8....S.......S.d.....?.T...................`.?.(...0.?.0.............3.._...........................text.....3.......3................. ..`.rdata..8.....3.......3.............@..@.data.........O......dO.............@....pdata...8...0P..:....O.............@..@.rsrc........pS......4S.............@..@.reloc..d.....S......:S.............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-RBGPI.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):638192
                                          Entropy (8bit):6.121612263603408
                                          Encrypted:false
                                          SSDEEP:12288:aeAClh/JUd4/0OHSsecsFJPNK3jNeJVhoo:ZACl10OHSs4PNKxsgo
                                          MD5:30035261439F666D41E3A8E851379EC7
                                          SHA1:16BB1176D6775EB1771477AE7CCF79759CBBE2E7
                                          SHA-256:CEC70C7601106FFA9F22BC316F6B56B356D3986EBB1846E85E5D8D70AAAC07F2
                                          SHA-512:117CF2E52F9F5798E19A6D9CD90E525EAE5998BEBBB49C8F8B961E45AD0121CC24F1615214E3D9E35D7A581EDE7E29365ABBAE402FC2CD7715FF6828599AEAD2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0}=.Q.n.Q.n.Q.n.).n.Q.n.9.o.Q.n.9.o.Q.n.9.o.Q.n.9.o.Q.n.9.o.Q.n]8.o.Q.n.Q.n.P.n]8.o.Q.n]8.o.Q.n]8.n.Q.n.Q.n.Q.n]8.o.Q.nRich.Q.n................PE..d...Yd._.........." .....d...D......................................................8+....`..........................................<...y..d....................E...................F.......................H..(....G...............................................text....c.......d.................. ..`.rdata...............h..............@..@.data....`.......V..................@....pdata...E.......F...F..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-RJD0C.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):6023664
                                          Entropy (8bit):6.768988071491288
                                          Encrypted:false
                                          SSDEEP:98304:hcirJylHYab/6bMJsv6tWKFdu9CLiZxqfg8gwf:+irJylHFb/QMJsv6tWKFdu9CL4xqfg8x
                                          MD5:817520432A42EFA345B2D97F5C24510E
                                          SHA1:FEA7B9C61569D7E76AF5EFFD726B7FF6147961E5
                                          SHA-256:8D2FF4CE9096DDCCC4F4CD62C2E41FC854CFD1B0D6E8D296645A7F5FD4AE565A
                                          SHA-512:8673B26EC5421FCE8E23ADF720DE5690673BB4CE6116CB44EBCC61BBBEF12C0AD286DFD675EDBED5D8D000EFD7609C81AAE4533180CF4EC9CD5316E7028F7441
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......D.............................UJ......................................................W.....,..................r....................Rich............PE..d...;._.........." ..........-.......-......................................`\.....x.\...`...........................................L..O....T...... \.......U.. ....[......0\..%..,.H.T.....................H.(.....H.0............./.H............................text............................... ..`.rdata..F7%.../..8%.................@..@.data...x....PT..\...6T.............@....pdata... ....U.."....T.............@..@.qtmimed.....0W.......V.............@..P.rsrc........ \.......[.............@..@.reloc...%...0\..&....[.............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-SFND1.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):649728
                                          Entropy (8bit):7.039680213745585
                                          Encrypted:false
                                          SSDEEP:6144:MQOW+qYe7k6z8Mm6VKLjg1SL41q6iecU5PyAWIMWvh2MHg/sKuHNsEYhr/0p4D53:MQfi+r4w1SyqdexyHnMYsKutsEYR8pm
                                          MD5:31670756C84482C651BB895F9A6B87E5
                                          SHA1:A543B94A82DAD65923F4F2A666D5BB7020811BC8
                                          SHA-256:980069AFCB062404F1ACA91CACD514C28E55513244B44141D29359369EF950CB
                                          SHA-512:C1C1B5B88AB548A518CAF295954A3E833B0F7393ABF55011130707B76BF024034713313D8323026F2AD91D3ECB8635D7914AC336E3E627FEBB4C006657D509EE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.....,...,...,.}i,...,.m.-...,.m.-...,.m.-...,.m.-...,.}.-...,.}y,...,#u.-...,.l.-...,...,...,.l.-...,.l.-...,.l.,...,.l.-...,Rich...,........PE..d...z..g.........." .....l..........,Z.......................................0............`..............................................?......@...............\............ ..H........................... ...(... ................................................text....j.......l.................. ..`.rdata..j=.......>...p..............@..@.data....%..........................@....pdata..\...........................@..@.rsrc...............................@..@.reloc..H.... ......................@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-SNQFL.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):61680
                                          Entropy (8bit):5.923759574558729
                                          Encrypted:false
                                          SSDEEP:768:ek8LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqe:ekwewnvtjnsfwGFIAB0hy
                                          MD5:A5471F05FD616B0F8E582211EA470A15
                                          SHA1:CB5F8BF048DC4FC58F80BDFD2E04570DBEF4730E
                                          SHA-256:8D5E09791B8B251676E16BDD66A7118D88B10B66AD80A87D5897FADBEFB91790
                                          SHA-512:E87D06778201615B129DCF4E8B4059399128276EB87102B5C3A64B6E92714F6B0D5BDE5DF4413CC1B66D33A77D7A3912EAA1035F73565DBFD62280D09D46ABFF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d...d...d.|.l...d.|.d...d.|.....d.|.f...d.Rich..d.........................PE..d...|O[a.........." .....................................................................`.........................................`...`...............................................T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-SO95H.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):2652672
                                          Entropy (8bit):6.5100737069425705
                                          Encrypted:false
                                          SSDEEP:49152:/drr5uORwWnFgekvnXCkqbPnVc/t93AnL2:dr50D+6th22
                                          MD5:3E6E3F672ED39CBEA7F7FC594BA65167
                                          SHA1:B2EC77464A04ABAA60CC3AEF232A01D302117FDB
                                          SHA-256:73124B69D6F3C54AFDAAB9CDE89656F415923119ACCDCF918ECDD47F78FB0210
                                          SHA-512:54CB29B1D2978886934B9181FA011EBF73427EA306D67DD4D920ECF57002DE636194FBCE53B9D94D0FD796D2CDD35E942619672442AB2A6A4D7F4E54CC35E724
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*.N...v(.....0.........................................).......)...`... .......................................)..D...`)..)....).......%..*............).l.............................#.(...................Pj)..............................text...0M.......N..................`..`.data....*...`...,...R..............@....rdata...j.......l...~..............@..@.pdata...*....%..,....$.............@..@.xdata.. ....0&.......&.............@..@.bss....0.....'..........................edata...D....)..F....'.............@..@.idata...)...`)..*....(.............@....CRT....`.....)......B(.............@....tls..........)......D(.............@....rsrc.........)......F(.............@..@.reloc..l.....)..0...J(.............@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\is-TI1V0.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):905456
                                          Entropy (8bit):6.410762946527034
                                          Encrypted:false
                                          SSDEEP:12288:aynKy8oJXHlyEolsglxb/Gj53/vpZcZjlIcPX3NDdpMEZhJeuv:ayXFyEoLk5+tn
                                          MD5:FED654B78DC2EF46288A50A506AD024F
                                          SHA1:DA1159917FF8E03451A9CEE0A7C26C09D838BDF8
                                          SHA-256:C64245CB6606570963F243F538F83A42EB04D280A6AECFAF6F71BC83D36E7159
                                          SHA-512:B9DBD4CA4EB9941FD5C9DC132C447D5A118DBDA586514AF2289807E4D817E120F4EAEB3CF9D3BDB019A5FAF6AC15B5CE8A5541E6233A7536568C88AB46BBD601
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......=...y...y...y...p.......+.a...+.q...+.z...+.}...".{.....~...y...$.....".....x.....B.x...y.*.x.....x...Richy...........PE..d....c._.........." .....h...R......t...............................................5.....`..........................................$.......................p...Z..................._.......................`..(...._...............................................text...Ff.......h.................. ..`.rdata...............l..............@..@.data....#...@.......*..............@....pdata...Z...p...\...D..............@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-U49DL.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):123632
                                          Entropy (8bit):6.284281913194961
                                          Encrypted:false
                                          SSDEEP:3072:/SfUojZOKNl/EYtExUOpyMZ7VnHFcDbOdKO4:/SsYZOK7cxtpyMJFHFcDbO8O4
                                          MD5:F6B28E1272214B3B7134D792CE38F956
                                          SHA1:81767B15ADC49BA1E9CF16498D3E6D20CA93FF40
                                          SHA-256:EC3298F6A7BDE1D4CAB59BA629BBEE87A322D0EFDC8A59D87FF6D406240407B1
                                          SHA-512:4A40CD3320512D19B9F63C793351DC9A374615E8BA6EAFAD2AE7A1C6D9A92A152106FBB5F96AB01ECE3D87CBA4C5FD050524DCBE4842F4E12D5B2F09D778052B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............T...T...T.eT...T...U...T&&=T...T...T...T...U...T...U...T...U...Ti..U...Ti..U...Ti..U...Ti..T...Ti..U...TRich...T........PE..d...LE.W.........." .....$..........(&.......................................@............`......................................................... ..@................"...0......0Y..T............................Y...............@.. ............................text....#.......$.................. ..`.rdata...K...@...L...(..............@..@.data....P.......$...t..............@....pdata..............................@..@.gfids..............................@..@.rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-V004I.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2214912
                                          Entropy (8bit):6.384721005949699
                                          Encrypted:false
                                          SSDEEP:49152:ia4lRuO7XhnHmm4HjrbUABSEIS0Al2wIiXXo:vP8wbX
                                          MD5:DBF3283EE74FACA95837DF0499F2769E
                                          SHA1:A616D088099D914356AFACB1CAD9D7FD6577838A
                                          SHA-256:C1D5952D8C1D258866AD7AA8C4A34E98E3953492093E39B651A8EEEB7B3C2911
                                          SHA-512:A6F928A7C3DCE1F3EFD344ADB31F495E9ACEDAD2735329D9CD26705460F4A1150AFC05B457B7B9166CDB0C2A9F34850FF2FCEBB495A2879AA65D5354F3A7FD52
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......>.4.z.ZMz.ZMz.ZMs..Ml.ZM..My.ZM(.^Lr.ZM(.YL~.ZM(._Lg.ZM(.[L|.ZM1.[L}.ZMz.[MN.ZM.._LZ.ZMz.ZMa.ZM..^LB.ZM..^Ll.ZM..RL{.ZM.._L6.ZM..ZL{.ZM..M{.ZM..XL{.ZMRichz.ZM........................PE..d...p.Uf.........." .................K........................................$.....Uj"...`.........................................0W...P.....@.....#......@"...............$.....h6..T....................8..(....6..8............ ..@............................text............................... ..`.rdata....... ......................@..@.data...@S.......~..................@....pdata.......@"......:..............@..@.rsrc.........#.....................@..@.reloc........$.......!.............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-V4ADI.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):18278912
                                          Entropy (8bit):6.415110000021905
                                          Encrypted:false
                                          SSDEEP:393216:EsQdvh76/JkvrxVY2Xkarvb1mTLlMGRhUU6DmA0viO/ilJ85EWlB/jBtLs:chU69GFrn/jBtL
                                          MD5:9B5689B0D551161AEE9D45FE6A438FCB
                                          SHA1:2C435765C66BA18086850EF532BBD08EAB755944
                                          SHA-256:79816E0BA8786690E2C1EE8758D6D64D2B583131934BE2F9E870736C54DA905E
                                          SHA-512:2193ABB629F1F04D4BFEEC4C74416C3E6D45572F9B02A29360FA08A19E17E0149B5A61BCADB92E0E409579C3B2DB08532E7CD2F5C82871D185B71B1616A94694
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........HJ.K)$.K)$.K)$....Y)$..x..L)$..x..F)$..x..O)$..x..A)$.$_..O)$....I)$....J)$....G)$.F{..X)$.K)%.+$.F{..7($.F{...-$.F{..J)$.F{..J)$.F{..J)$.RichK)$.........PE..d......Y.........." ..........l.....@.....................................................`.........................................Pm..u....M..h....... ....P...%..............0...................................pA..p............................................text............................. ..`.rdata....Y.......Y.................@..@.data...0...........................@....pdata...%...P...&..................@..@_RDATA.. ...........................@..@.rsrc... ...........................@..@.reloc..0...........................@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-V9DQ4.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):285184
                                          Entropy (8bit):6.134546329576554
                                          Encrypted:false
                                          SSDEEP:6144:mwm1yAstRH4FBEiD17SCltmbuFeU77naU8ht8WEPZFlT3C0:lm1yAstRYFBEiD17SCOEhFl2
                                          MD5:7B228925B73F2D00787CA4B039C31648
                                          SHA1:1D7AFF84B58FCC076FB3897A80B6A41A3D601C2F
                                          SHA-256:62E57B4424230221F4A287D3F8960828A0AD2873EDD1A02920A8AAF48475779C
                                          SHA-512:075DC24D7E327F211E3FB6B9FA6C67C7A384503BD3230E08F2BCDFBDEDD099178F04F388F864996DD283DF12AC9A3F718EE644D055044CEDEB5BBFB0B0B481F4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]B..3...3...3.......3...2...3...6...3...7...3...0...3...2...3...2...3.U.6...3.U.3...3.U.....3.U.1...3.Rich..3.........................PE..d...ca0c.........." .........v............................................................`......................................... ...t.... ...............P...(.............. ................................... ...................x............................text............................... ..`.rdata...+.......,..................@..@.data........0......................@....pdata...(...P...*...(..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\is-VPRAO.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):640512
                                          Entropy (8bit):6.552116885372862
                                          Encrypted:false
                                          SSDEEP:12288:ltu3Vl+FYgd6Y5uvdrc7vBPj9KhPkLpLYz:ltu3VlfdY5Mdrc7vN91NLO
                                          MD5:533F81EB1CDADD117C5D0B2D75CE0D8A
                                          SHA1:C6003769F1CC324F7AEC324F1626A25D7396008D
                                          SHA-256:65F029D7DB3B4F4D372E89D490A77BDC43934563C5EE70E7501E12DEFFC79E5C
                                          SHA-512:56636DE5D2A61D9CF8F0DAFAB2CA8514885374B0C87B38766DC53EB5C84F8BD281D4451E8B20481B223A8428DCD34653D7106CA130AD7186DEC99C655CBC9892
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*.:.......`..0...............................................?.....`... ...................................... .......0..\....p.......@..l0..............h........................... ...(....................6..h............................text...p9.......:..................`..`.data........P.......>..............@....rdata..P....`.......H..............@..@.pdata..l0...@...2...$..............@..@.xdata...>.......@...V..............@..@.bss....p_...............................edata....... ......................@..@.idata..\....0......................@....CRT....`....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..h...........................@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\is-VU1V5.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):99840
                                          Entropy (8bit):6.070375909397882
                                          Encrypted:false
                                          SSDEEP:1536:gidhTVwoKodN5deiZT++24zVwOe3XSjZ+DNli/xfoCbIhEkiJorBnpL:VhZwoKoXHZTF245wY9+ZlilZVyTL
                                          MD5:A62B144F7018735973AFEE25CA8B6B03
                                          SHA1:71DE842D0ED154C1CDCE145AF4B0389A8B21762B
                                          SHA-256:498C6EEE37060600B84CE9484A707386592C653022AB28CFADFF3B1A168C6547
                                          SHA-512:CB1BBD83627A800A1E6B81D6481DE0C69AC03DCE44F082A1BF6FFCC901C16E07956570FFC5D70D720C4B4696403997F70069DC4750AD30EFD19B817E78679755
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I.............m.....K......K......K.3....K.2............2.............3.........................Rich...........PE..d...Q..T.........." ................|.....................................................`..........................................I.......V..P...............$....................................................5..p............ ...............................text............................... ..`.rdata..8I... ...J..................@..@.data....7...p..."...P..............@....pdata..$............r..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\laszip3.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):285184
                                          Entropy (8bit):6.134546329576554
                                          Encrypted:false
                                          SSDEEP:6144:mwm1yAstRH4FBEiD17SCltmbuFeU77naU8ht8WEPZFlT3C0:lm1yAstRYFBEiD17SCOEhFl2
                                          MD5:7B228925B73F2D00787CA4B039C31648
                                          SHA1:1D7AFF84B58FCC076FB3897A80B6A41A3D601C2F
                                          SHA-256:62E57B4424230221F4A287D3F8960828A0AD2873EDD1A02920A8AAF48475779C
                                          SHA-512:075DC24D7E327F211E3FB6B9FA6C67C7A384503BD3230E08F2BCDFBDEDD099178F04F388F864996DD283DF12AC9A3F718EE644D055044CEDEB5BBFB0B0B481F4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]B..3...3...3.......3...2...3...6...3...7...3...0...3...2...3...2...3.U.6...3.U.3...3.U.....3.U.1...3.Rich..3.........................PE..d...ca0c.........." .........v............................................................`......................................... ...t.... ...............P...(.............. ................................... ...................x............................text............................... ..`.rdata...+.......,..................@..@.data........0......................@....pdata...(...P...*...(..............@..@.rsrc................R..............@..@.reloc.. ............T..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\libcurl.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):324096
                                          Entropy (8bit):6.3377399185673235
                                          Encrypted:false
                                          SSDEEP:6144:FBgyWUu11adMCSxB8zPMc4UvH1gjSnSapcWAAEJTfSQSg913ieVSuQMsPcZwf:FBgXj11tC/PMcWapcbAoTfv130b5f
                                          MD5:8B7BB6C392EAE81F3B4F0A5638BD50E3
                                          SHA1:54AC8ACA96234D59BDC8AE2F800185E48F50CAAE
                                          SHA-256:B85A49A23BD8A554F7ED475A8817C5E027853A86B3D94BA4DCF4EFB9109D2579
                                          SHA-512:87B8E4CE2F414CCA07AF6EA10337A04D37C8243BF62BF092812A5406A546AD92F08EC572BE8D683598C8EC1DFD1AA55D50C17BA80243469833D896DDA1DDE70C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...in.Zin.Zin.Z...Zan.Z/?.Zkn.Z/?.Zkn.Z/?$Zen.Z/?%Zkn.Zd<.Zon.Z...Zln.Zin.Z{o.Zd<$Z.n.Zd<.Zhn.Zd<.Zhn.ZinSZhn.Zd<.Zhn.ZRichin.Z........PE..d...!..T.........." .........<......\........................................@............`......................................... ...c............ ...........3...........0.......................................t..p............................................text.............................. ..`.rdata..............................@..@.data... ...........................@....pdata...3.......4..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\libeay32.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1575936
                                          Entropy (8bit):6.522022448413462
                                          Encrypted:false
                                          SSDEEP:49152:qSY0LA3zwiZzjs9nyFHV1Q62ThDAQp7/VqPVcuP:ahAThDAQpuVc
                                          MD5:21BF4638E5ADA899A43AC322BAC4600C
                                          SHA1:9BC1D6E44E14314C6B002436D4EDB9B7F8A51FB6
                                          SHA-256:AEE3F7C3EF4477D46F9CD65B00BB2EBAA23C2EDE84D60027102F97F3463542D5
                                          SHA-512:DDDC9A5EB060D82F8C3741E1F2241924DFD00A15A29D3EB00B0F87B38A34E0063E0B885E41F892A7966D28F5379A71D8BDD9DA434FA14B278672F64328540F5E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!..=e..ne..ne..n#.0ng..n#.2ng..n#..ni..n#..ng..n..&nn..ne..n...nh.2nd..nh..n"..nh.1nd..nh.6nd..nh.3nd..nRiche..n........................PE..d...[..T.........." .........j...... ........................................`............`..........................................Y..Q...............@.................... ..8?..0...8...............................p............................................text............................... ..`.rdata.../.......0..................@..@.data...............................@....pdata..............................@..@.rsrc...@...........................@..@.reloc..8?... ...@..................@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\libgmp-10.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):543027
                                          Entropy (8bit):6.081562472859807
                                          Encrypted:false
                                          SSDEEP:6144:SS5KjgGnpG7wZAF86y2iLmKiXc2HsvOB/2FV2/vF98G5hSkZqBG1N64vdw:9AgMVwPy25G2j/2FVuvUY0yN64vdw
                                          MD5:5427B1D1E958FE77B18C6EA992B1BCD6
                                          SHA1:E3D8946C366402C7FDE6053DA666F1E066E5A7D7
                                          SHA-256:FEC43CB18CE0EC8A5DD6AD1DB745747167310CCB92B5ACFF0D445A8B3013F009
                                          SHA-512:FD47E681ABA34A0CA4A9E6300905834163257E3BF11EC4A214231DD0FCA85E023DE0285151B5DEE835EBD9A61EF39E8E49B0EE55BC0C77AEBC9F601EF3ADD799
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d... .oM.h........& .....j.....................j.............................0......l......... ......................................`..M7...........................................................................................................................text....h.......j.................. .P`.data....z.......|...p..............@.`..rdata..0I.......J..................@.`@.bss.........P........................`..edata..M7...`...8...6..............@.0@.idata...............n..............@.0..CRT....X............x..............@.@..tls....H............z..............@.`..rsrc................|..............@.0..reloc..............................@.0B/4....................................PB/19.....L..............................B/35.....^..............................B/47....................................B/61..................&.................B/73.....

                                          C:\Program Files\CloudCompare\libmpfr-4.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):436011
                                          Entropy (8bit):5.959829336161829
                                          Encrypted:false
                                          SSDEEP:6144:Whq6r4b+TzXbwkjY7A0cEecZjS2a3Q4k4P9:Whq6rjv0kjMAYu2ag4k4P9
                                          MD5:46342925772D32E44ECF4D846C450B20
                                          SHA1:AAC70299D4B1B9E10718313235C69C4FB75AB034
                                          SHA-256:09B3B868B96433991FC15C9C5AE6F9A44C62D2E21194110442607917391ED927
                                          SHA-512:144C7F914539BC42AB315C3E063AA483BA03CA50B4FF1636B447AC880E9DCB5E222F19B9365E0AAA4B4BCCC0C2B543DB3243C143B5DF7E339843827F0B56B994
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...,.oM.<..".....& ..........................To.............................................. ......................................@...!...p..................................4....................................................................................text............................... .P`.data...............................@.`..rdata..pS.......T..................@.`@.bss.........0........................`..edata...!...@..."..................@.0@.idata.......p.......:..............@.0..CRT....X............N..............@.@..tls....H............P..............@.`..rsrc................R..............@.0..reloc..4............V..............@.0B/4...................X................PB/19.....L............\.................B/35.....^............d.................B/47....................................B/61....................................B/73.....

                                          C:\Program Files\CloudCompare\libmysql.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):4072960
                                          Entropy (8bit):4.29892941159376
                                          Encrypted:false
                                          SSDEEP:24576:kurEhBFeA9Yocw4I3UX/Q6keuzbkLnqJFzTUbRBZxzf1fkG8qkUfT6T36S7cLqRd:kTgA9YIU03nzTABZR1f4/oT6TKZLqRd
                                          MD5:BBB1E3F824CCC683CFA76D66ABB815D3
                                          SHA1:A648215F3F8610BB79BE1DC2A291A7CA80B0C688
                                          SHA-256:F6ABC1333233A2B9B93312F2531AF32250BDC9DC3A337CDB3E20F6B4E3895476
                                          SHA-512:E32DF05E32C1DB5E2AF3B8EF567DFC4D5BCD43BE9C52BAC5B4FB8DD8B778E5A7B8D519AB18AAAA85EAB1B3A5D5E1239DCD107B578F9215BF99B7540268BD034A
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7..s...s...s.....`.t...5.F.K...5.G.....5.x.`...~.F.]...._l.z...s......~.G.....~.{.r...~.|.r...s.0.r...~.y.r...Richs...........PE..d......T.........." .....f....<.....`.........................................E...........`.........................................p.6.n...."6.d....PE.`.....D..n...........`E.@2.................................. =5.p............................................text...xd.......f.................. ..`.rdata....-.......-..j..............@..@.data...x....@6..`....6.............@....pdata...n....D..p...~=.............@..@.rsrc...`....PE.......=.............@..@.reloc..@2...`E..4....=.............@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\libpq.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):150016
                                          Entropy (8bit):6.153853842832493
                                          Encrypted:false
                                          SSDEEP:3072:795pD8/5DF369YVKIf/AihiUNS1ZHGQJImIQaya9bmMAznIcH6KkeNWi3uRNWONp:79n8/5o9YVK4WSmQ9lSHfkM
                                          MD5:4CC6FC8AA81C763F819EB171A72B0755
                                          SHA1:A795938F6A3A6878B7125C037E92CD64592BB9BE
                                          SHA-256:B6DE4A001F659EDDCFB2E0E818AACD4BD0BB687EF1EB316E682CC6955C2B6178
                                          SHA-512:15955838CC3C81A970A5DAE2805567BDC101B9B9FEA310316EBE115944E5492DA450BECCF14638BE81D8E3F49196E201415909181A0FD70774B339F2E0051B09
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.N...N...N...._.H......M......L.......B.......L...C...n...C..J......B...N.......C..O...C..O...C..O...RichN...................PE..d....T.........." .....|..........t.....................................................`.............................................#............`..(....@...............p..,.......................................p...............P............................text....z.......|.................. ..`.rdata..<...........................@..@.data...0.... ......................@....pdata.......@.......&..............@..@.rsrc...(....`.......@..............@..@.reloc..,....p.......D..............@..B........................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\libxml2.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1305600
                                          Entropy (8bit):6.500414270235113
                                          Encrypted:false
                                          SSDEEP:24576:wsae7nuBe/fiK+A5RStikHZVVYIgkVkP/txyfk:wsluBe/aK+A5RnkHVNgkVG3yf
                                          MD5:5E340FB8D4F34B05560CDF0D6FAA0C95
                                          SHA1:DC94163D199DBF99CA9B2ABD52E9DA9BA411B3AA
                                          SHA-256:DE36FB112F7062BD5B507ECF689D08AB070163E410E72EF8F2DC4775A8A5795C
                                          SHA-512:4F5553011564A2631677B9360D68B878F4B6A4AB02BB0D485D0B340C1C4D4845489784EE4E8AAA6D48BCD92FE36BA2309C05489363CD4B8F41806AB5E154AF3D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............@.b......x.....@.`.....@._.....@.^......-b......t.............-_.-....-c......-a.....Rich....................PE..d....1.T.........." .....@...........J.......................................0............`.....................................................d...............................0...................................@...p............P.. ............................text....?.......@.................. ..`.rdata..Rf...P...h...D..............@..@.data... 6..........................@....pdata..............................@..@.reloc..0...........................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\license.txt (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1248
                                          Entropy (8bit):3.411406870003142
                                          Encrypted:false
                                          SSDEEP:24:JNQNANQs8Bw5NQMJ0y4TVOkHUYlg2NQNnNe:J+i+/Bw5+k0y4TjHUY+2+BM
                                          MD5:10E499DB3962E1CA5FECBCBDF2D623EA
                                          SHA1:BBD9C1D5F081144ED3096825900E7982120E9318
                                          SHA-256:B0180C8E73919E584EC2DB3D8916858D7EA3FF4FBB33A8C535CA5FBC2E6E57E4
                                          SHA-512:4BB76A579188E9A4AE5D48064BA24CC8049152A0961D835910FC013E2A2480AEEA1DFC9D2B5A419722077920B2EF854FDBEE073A3D1203A9977094D400A6456E
                                          Malicious:false
                                          Reputation:low
                                          Preview://##########################################################################..//# #..//# CLOUDCOMPARE #..//# #..//# This program is free software; you can redistribute it and/or modify #..//# it under the terms of the GNU General Public License as published by #..//# the Free Software Foundation; version 2 of the License. #..//# #..//# This program is distributed in the hope that it will be useful, #..//# but WITHOUT ANY WARRANTY; without even the implied warranty of #..//# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #..//# GNU General Public License for more details. #..//#

                                          C:\Program Files\CloudCompare\msvcp140.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):627992
                                          Entropy (8bit):6.360523442335369
                                          Encrypted:false
                                          SSDEEP:12288:dO93oUW7jh6DN0RUhsduQjqDZ6X/t5mTOKGmJ7DseBiltBMQEKZm+jWodEEVoFt:s3oUW7jh6DN0RUhsduQjqDZ6X/t5mTOo
                                          MD5:C1B066F9E3E2F3A6785161A8C7E0346A
                                          SHA1:8B3B943E79C40BC81FDAC1E038A276D034BBE812
                                          SHA-256:99E3E25CDA404283FBD96B25B7683A8D213E7954674ADEFA2279123A8D0701FD
                                          SHA-512:36F9E6C86AFBD80375295238B67E4F472EB86FCB84A590D8DBA928D4E7A502D4F903971827FDC331353E5B3D06616664450759432FDC8D304A56E7DACB84B728
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`..r$..!$..!$..!.O.!&..!-.|!2..!v.. '..!$..!...!v.. '..!v.. o..!v.. j..!v.. %..!v..!%..!v.. %..!Rich$..!................PE..d.....0].........." .........`...... ...............................................T.....`A............................................h....................0..t@...T...A..............8............................................ ..........@....................text...<........................... ..`.rdata..<.... ......................@..@.data....;..........................@....pdata..t@...0...B..................@..@.didat..h............B..............@....rsrc................D..............@..@.reloc...............H..............@..B................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\msvcp140_1.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):31512
                                          Entropy (8bit):6.482572392659554
                                          Encrypted:false
                                          SSDEEP:384:N7K97EGM9l0SJuJZVWnlVI/GDYWcn53WMlQpBj0HRN7gr5mQHRN7AFA8pUclXC/:tKcJJuJZVWlVlq/qWgro8WA8pU7
                                          MD5:D281BE80D404478EA08651AB0BF071B5
                                          SHA1:E81DC979D8CF166C961C8E7B26F5667DB9557C47
                                          SHA-256:5E627FAC479F72363075824423D74D0A5D100BB69377F2A8C0942E12099AF700
                                          SHA-512:FDA7C43FB6EE71C7CCBAD7AD32C1F00E454CCDEE3BBC35DE4045ABBC8998281CDAB9C506FEA8417DF25FF0EF09471EEA49F63B2181E160C62BDA804FBFD8C376
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8./.|.A.|.A.|.A..9..~.A.u..x.A...E.{.A...B.}.A.|.@.U.A...@.y.A...D.o.A...A.}.A....}.A...C.}.A.Rich|.A.................PE..d.....0].........." .........$......p...............................................[r....`A.........................................>..L...L?..x....p.......`..@....:...A......d...03..8...........................p3...............0..@............................text............................... ..`.rdata.......0......................@..@.data........P.......,..............@....pdata..@....`.......0..............@..@.rsrc........p.......4..............@..@.reloc..d............8..............@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\msvcp140_2.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):206104
                                          Entropy (8bit):6.527663270766649
                                          Encrypted:false
                                          SSDEEP:3072:cXY40poiOthG/NS7rngyB9N4DfwAp2Ywz73GdXrQw18TYfHbd6q1:cINpBlNry5DAMYzXcY8TYfcq1
                                          MD5:210BB45A43B2F8FA7F6CFC31FA4EC6DD
                                          SHA1:3DACFA339AC11488D52A54806FFFAF437BB0CAA8
                                          SHA-256:AA965BC8429994C97BC2498ED8051A4101F7987A376924B105DE5F7915E42A48
                                          SHA-512:8A0E8863B06B306B11E0ABAD77B0285DBC17B8A778E241C2EBE0285BBF12C7B7CFDEACD6ED6D2BF71887342A94DACEADF8E0AA3164D4492E1CB9D0D1FECEAB96
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........$.ew.ew.ewq*.w.ew...w.ew..av.ew..fv.ew.dw..ew..dv..ew..`v.ew..ev.ew..w.ew..gv.ewRich.ew........PE..d.....0].........." ................0........................................ ......~.....`A............................................................................A...........k..8............................k..................@............................text...|........................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\netcdf.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):943104
                                          Entropy (8bit):4.884100718195113
                                          Encrypted:false
                                          SSDEEP:6144:GNVEvTyvUpeL7/Al2ntAFXgltlFgj5KsOHhTmkijOcprzyB61vdq0umlKnSDpd:GNOTyvTX/AxGlUK1KkWyB61FTuEK4
                                          MD5:799A5FF9D9919DB09A70ACBA8DA22E3F
                                          SHA1:737A8000644C5C59B8E609DCC7C87B807C4D70FB
                                          SHA-256:0C8F98093EADAA3EFBC4DEF4E047B61BCE3262A395F9214D574F51DDDFDA2E4E
                                          SHA-512:129F35F37874C228A74ADA9C429F303E1EC75E3701B085B8D7D9A360D6B525B93D40D46FA70795176625295DB19DA5EA67E4D07920C86F86B6702F0965B71981
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....... .^rd.0!d.0!d.0!.K.!g.0!"..!f.0!"..!f.0!"..!h.0!"..!f.0!i..!b.0!...!g.0!d.1!..0!i..!:.0!i..!e.0!i..!e.0!i..!e.0!Richd.0!........................PE..d...0..T.........." .........J...... .....................................................`..Zb.....................................@...S,......x....@...........[...........P...0..................................@7..p............ ...............................text............................... ..`.rdata..T.... ......................@..@.data...............................@....pdata...[.......\..................@..@.rsrc........@.......0..............@..@.reloc...0...P...2...2..............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\opencv_world340.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):65625088
                                          Entropy (8bit):6.716204630721569
                                          Encrypted:false
                                          SSDEEP:393216:sbMrUzNKCHFRGrF9uETlbLiAUESilnLo:s2cNWrFwETlrnnL
                                          MD5:C8AA5618B3AEBB44A1DC971CF45DF6AF
                                          SHA1:E63D348666665876DFA22854F7DD3D450289425E
                                          SHA-256:8799F59DBCF8F7EB8B56A0D6EFD8E957A1985CD2CD4723B4228731288A5FAE88
                                          SHA-512:0936CBA77118A4451C73324D971E64946824E665DD411B84EFDB0B209BCA3CF5895C5A3D557489B303C970B870980E39DAC71D9B2BC472D22667006D81C80E47
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......!Rz.e3..e3..e3..lK..s3......o3...Q..M3...Q..n3...Q..c3...Q..|3..GS..a3..e3..2..GS..p3..?....7..e3..C....P...3...P...2...P..d3...P..d3..e3..d3...P..d3..Riche3..........PE..d..."x=Z.........." .....2B..r............................................................`.........................................`...(............p.......`...................a......T.......................(....................PB..............................text............................... ..`IPPCODE...%.......%................. ..`.rdata.......PB......6B.............@..@.data...h~.......4..................@....pdata.......`......................@..@IPPDATA.....p......................@..._RDATA...F... ...H..................@..@.rsrc........p......................@..@.reloc...a.......b..................@..B................................................................................

                                          C:\Program Files\CloudCompare\openjp2.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):180736
                                          Entropy (8bit):6.4689591835949
                                          Encrypted:false
                                          SSDEEP:3072:3RZCni3L3TP4OKFE+rtuiNFEPj43AQsnA1Tg08fC7jqC5UouCGZCktTiNTqtOuK+:vCni73TgOKi+RzGr43AQsnAF5IWswPw
                                          MD5:EEA12E88CF534F41963EDAD1522D8802
                                          SHA1:9AF546CCE2DCC16EDDF3B517D89D35E51990DCD6
                                          SHA-256:18F3E0E9C7C84666C4D738247D607065CDE890569CEB621CFC95DE77AA8ACEF3
                                          SHA-512:F917F1655D9371A1D5A026677DFBE5B8EAE6FF69528253F36CAE468546A952733DBB159566240158A9608256383A92A8E64545522612E93ACC3BDB83EBBE045B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{bZ..1Z..1Z..1...1X..1.d.1[..1...1[..1...1Q..1...1X..1.;.1Y..1Z..1k..1W..1I..1W..1[..1W..1[..1W..1[..1RichZ..1........PE..d...a.T.........." ................`.....................................................`.................................................P...<...............\....................................................a..p............ ...............................text............................... ..`.rdata...w... ...x..................@..@.data...............................@....pdata..\........ ..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\platforms\is-6MC3O.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1477104
                                          Entropy (8bit):6.575113537540671
                                          Encrypted:false
                                          SSDEEP:24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
                                          MD5:4931FCD0E86C4D4F83128DC74E01EAAD
                                          SHA1:AC1D0242D36896D4DDA53B95812F11692E87D8DF
                                          SHA-256:3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
                                          SHA-512:0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\platforms\qwindows.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1477104
                                          Entropy (8bit):6.575113537540671
                                          Encrypted:false
                                          SSDEEP:24576:4mCSPJrAbXEEuV9Hw2SoYFo3HdxjEgqJkLdLu5qpmZuhg/A2b:nPlIEEuV9Hw2SFFWHdWZsdmqja/A2b
                                          MD5:4931FCD0E86C4D4F83128DC74E01EAAD
                                          SHA1:AC1D0242D36896D4DDA53B95812F11692E87D8DF
                                          SHA-256:3333BA244C97264E3BD19DB5953EFA80A6E47AACED9D337AC3287EC718162B85
                                          SHA-512:0396BCCDA43856950AFE4E7B16E0F95D4D48B87473DC90CF029E6DDFD0777E1192C307CFE424EAE6FB61C1B479F0BA1EF1E4269A69C843311A37252CF817D84D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......i...-...-...-...$.%.9.....q.,......8......%......)......+...9......9..,......)..........9..8...-..........d......,.....I.,......,...Rich-...........PE..d....._.........." .....,...h......4+..............................................n.....`.............................................x...(...........H............n..........X....r..T...................Pt..(... s..0............@...5...........................text..._+.......,.................. ..`.rdata.......@.......0..............@..@.data....m...@...D...(..............@....pdata...............l..............@..@.qtmetad.............J..............@..P.rsrc...H............L..............@..@.reloc..X............P..............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\MeshIO.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2327552
                                          Entropy (8bit):6.176241265246855
                                          Encrypted:false
                                          SSDEEP:24576:O9XXVP3T68F+qFOeFHHnCezLuDOVPWoMTHNRxoeGMQTemhlYglQ6/:O55p9FHHChuWoMTtRxoeG7TemhlYgl
                                          MD5:BDFC79FCB07C834E2DA85800A1DED6E8
                                          SHA1:CC10974040DF9453D3C2E1F63CFD0353B334547C
                                          SHA-256:15B657DCC6FCA6FADD1B1BC578F6AFCC661E4B5C5B6EC932CB830D954DD8C6CF
                                          SHA-512:D9A309458508EC95D5D17DA6028516EB44395757EBF2E0F232C454F3DFC5189463CD874F7452147C3AB2542D305F4D6417ADD600C05864150786BA8B6484C35D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........\.F.=...=...=...E...=...U...=...U...=...U...=...U...=...E...=...M...=...T...=...=...?...T...=...T...=...T...=...T...=...T|..=...T...=..Rich.=..........................PE..d...d..g.........." ..........................................................#...........`.........................................0I .t....I .T.....#.......".t.............#.X4...L..8....................N..(....M...............................................text............................... ..`.rdata.."...........................@..@.data...p..... ....... .............@....pdata..t....."......\".............@..@.qtmetad9.....#......H#.............@..P.rsrc.........#......L#.............@..@.reloc..X4....#..6...N#.............@..B................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\Q3DMASC_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):809984
                                          Entropy (8bit):7.311103595541181
                                          Encrypted:false
                                          SSDEEP:24576:McEE5PGNJcyJDJKpEW+QCWYCG9XnZJmy5njJ4:MLE5P2ayJDJqgWY9dNJjJ
                                          MD5:9014EA0027A81C883FF4306AF520ECA1
                                          SHA1:DF47F88964B5BC61B4E64E52F82ADA16CD2621FB
                                          SHA-256:1088FC098DB5CAB69AB2EBDB746499917427153B638236874E4D4E787CAA7C48
                                          SHA-512:DB62B6D9CD89D373D6899AC72BE54EEF40D0661208DD3C4D4A339215268AC2064AB11E17F9282CCB6E31D957DCA10DAA10379A711914B17268BCFBD71251FEBB
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........j..j..j...%.j......j......j......j......j......j..6...j......j......j..j...n......j......j....I.j......j..Rich.j..........................PE..d.....g.........." .....x..........0?....................................................`..........................................)..|...L*..h............P... ..................@F......................`G..(...`F...................#...........................text...kw.......x.................. ..`.rdata...............|..............@..@.data...X....0......................@....pdata... ...P..."...&..............@..@.qtmetad.............H..............@..P.rsrc................J..............@..@.reloc...............L..............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QADDITIONAL_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):256000
                                          Entropy (8bit):6.02324937299118
                                          Encrypted:false
                                          SSDEEP:6144:ub3DYs9jX5c8AyhnZONYRfSWDOYWZXUqXQ2r1At3d4haPqjaGQzJAS:ub3DYkJNZOCl
                                          MD5:3B591115D780BFE4451617ADF78ED6C0
                                          SHA1:C02FA4AAADD880BD67BB4F4ECA3F7D14B1BB6EB1
                                          SHA-256:42C6CA961FCF7BA295C6E5B557791CB31A7BEEEAEEB93537B7305D7D88822F61
                                          SHA-512:B140C1E6AFEFB0730EC260E5A14CABCF2B12CBCE93EB9D94C2652DE275DC1BF0F3C9277C83B8AB04C573C1F0278C859DD7AC5B3491DBDEA0067080173B42D798
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d#.Y.M.Y.M.Y.M.P}.U.M..mH.L.M..mI.Q.M..mN.Z.M..mL.].M..}L.[.M..uL._.M..lL.P.M.Y.L...M..lH.W.M..lM.X.M..l..X.M..lO.X.M.RichY.M.........PE..d...v..g.........." .........4......X........................................0............`.................................................$...T............................ .......i.......................j..(....i...............................................text............................... ..`.rdata..............................@..@.data...(...........................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QANIMATION_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):199680
                                          Entropy (8bit):5.994057512347577
                                          Encrypted:false
                                          SSDEEP:6144:7Zf559/yXbc5N6Od7wUZiVOYWZXUqX8wrAAt3d4thaPytaGmdFSVX0Go3E:7Zf1qYXd
                                          MD5:B0CC9E45C8D303F745F0B68762C8A112
                                          SHA1:CF860A5490A7722B992A5AA783D463F5A40B8DC0
                                          SHA-256:3A224F72F4338C977E1CBEFDFCDEF4FF11BB1BE6B1283365710F746B98F74AB0
                                          SHA-512:318BB5009060E937B4D4EA4569458083BBD4D9D81EF07027AC41CD0CAF18D36FEDE6007514190FE86361A0BBA19EE0DE1A59B0B312C32BFEC0F4D4110AD57BF4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(b.l...l...l...e{?.f...>k..x...>k..d...>k..n...>k..h...'{..n...l...E....s..j....j..k...l........j..k....j..m....jS.m....j..m...Richl...................PE..d...V..g.........." .....0...........$.......................................P............`.................................................P...|....0..........,............@......@.......................`...(...`................@...............................text............0.................. ..`.rdata..t....@.......4..............@..@.data...............................@....pdata..,...........................@..@.qtmetad..... ......................@..P.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QAUTO_SEG_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):418816
                                          Entropy (8bit):6.226647789656364
                                          Encrypted:false
                                          SSDEEP:6144:FK1HkSgTvS0y0PupZ3n5IudVJ3agowgieMjNhDhu7juPU7+VYWXUq5jt34rUjGbs:FKdgTvY0235DJtdjNhDhKSD
                                          MD5:C6432247B75174F587472B3721D3742F
                                          SHA1:40A4DA32B40B98C09BF9926D81FC7DE03A39E705
                                          SHA-256:B91970A166CE4E44EC392D8C4193996D9079F17A1A2135232891FFB677B0FCA6
                                          SHA-512:6073987EBAE011A4FF3D24CB8778128073AB900E43F1D322781860D26C55EFEDBCE31C6ED586573D307E8C05CD93BE366245B18B84DD7CFBA2FF2864FF0FACA0
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........db...........}......m......m......m......m......}.....#u......l......f............l......l......l......l......l.....Rich............................PE..d...q..g.........." .........z......4.....................................................`.........................................P].......]...............@...0..............<...............................(....................................................text...x........................... ..`.rdata..>...........................@..@.data... )......."..................@....pdata...0...@...2..................@..@.qtmetad.............P..............@..P.rsrc................T..............@..@.reloc..<............V..............@..B................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QBROOM_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):228864
                                          Entropy (8bit):6.33558640199254
                                          Encrypted:false
                                          SSDEEP:6144:nOarQz/c6r5l6zjq3GBpt5zSTDXq5MmUjGx2/PYWZU8wR3dthwaN+rVtI:nlOv5lojZbh
                                          MD5:C4136253C43123F1AC10F8A3264105BB
                                          SHA1:56B6C6E55C5CA52E251013C43CF82C0323756AD3
                                          SHA-256:96AC8A5F9535F785D38D0E04ADC07B926316297D9BF4F31B40270E2DC103527C
                                          SHA-512:E9A590BCF344EB500AECE2EF31CAE9399715651A0357E2DAC00FCA9D0135045B0727FE76EE9DD21093D5DD050887C75928673351483ACD76753CA0F541C286E8
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o.z.<.z.<.z.<...<.z.<...=.z.<...=.z.<...=.z.<...=.z.<...=.z.<...=.z.<+..=.z.<.z.<.y.<+..=.z.<+..=.z.<+.c<.z.<+..=.z.<Rich.z.<........................PE..d...b..g.........." .....2...N.......'....................................................`.............................................|...\.......................................`6.......................7..(....6...............P..h............................text...{0.......2.................. ..`.rdata..f....P.......6..............@..@.data...H....p.......L..............@....pdata...............Z..............@..@.qtmetad|............h..............@..P.rsrc................l..............@..@.reloc...............n..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCANUPO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):762880
                                          Entropy (8bit):6.830912301583025
                                          Encrypted:false
                                          SSDEEP:12288:zf1o+/qdWYlYw5Ne23xko1w4G9AtsZqoq+qrqoq+q+q+qYqIqGq+qJEWKRQ0zrW9:zfK+iYO3sp6sPEW+QCWYCGf
                                          MD5:19CA96363DED6BC2860E5B75E047A4FB
                                          SHA1:0695FE635DDD05AA03BCF5C8FFB10FEA2883B210
                                          SHA-256:896D546BFB5F1DAD137149AE1E79A5581C1E17DA54C971B28958BD0960F7FA1E
                                          SHA-512:03EA10E313BA0B6D82B9549B2D8E65A3B7BBF1F412C150C514021EDC70B8D3054AC65A2EEF4D1F8F3401E875C83AB496100A804AC1262B3AF60DBB0D23E78428
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........ol...?...?...?..?...?...>...?...>...?...>...?...>...?...>...?=..>...?...>...?...?...?...>...?...>...?...?...?...>...?Rich...?........PE..d...K..g.........." ................$.....................................................`.............................................|...<....................-..................0.......................P...(...P....................%...........................text............................... ..`.rdata..r...........................@..@.data............|..................@....pdata...-...........X..............@..@.qtmetad,...........................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCLOUDLAYERS_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):176640
                                          Entropy (8bit):5.979004104906084
                                          Encrypted:false
                                          SSDEEP:3072:yDezrKCWiK4KUCT58JUpGK3ETnvMdnRSxDOkZXqi0n3d4Uwtv0QZdn1d5BKJ7:ygK4BC8JmGKU7MdRSxDOkZXqi0n3d4UN
                                          MD5:CAE0381FA5B340F4D994D60934FE517F
                                          SHA1:5B8DE02471B39CCC1159698A7029EBC918375F26
                                          SHA-256:9B8083EC253D0BE27D15BCF1FB9E8FFA2137C99E6608BB23D135FB082B03353A
                                          SHA-512:91EA95A3840723D3BBDFA062C7BC987E0EEE258A919119E6F901C6C1F2041D45815CAE4D1F682149FD05B94A7889E8FCA302F14BABCAB1BB51A32262DA915C5F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........GC..C..C..J...K......V......K......A......G......A.....E....D..C..\....J....B...}.B....B..RichC..........PE..d...=..g.........." ......................................................................`.....................................................................................(... .......................@...(...@................ ...............................text...;........................... ..`.rdata..Fu... ...v..................@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCOLORIMETRIC_SEGMENTER_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):176640
                                          Entropy (8bit):6.210464486399451
                                          Encrypted:false
                                          SSDEEP:3072:CHqi5QS9LZnjXtSUYSI5mvZMmxsIBEoE0UlQwSpPUB+VYVUqK2rntmrUgjaGAKvV:CHqi5105mhMmWIBrzpPUB+VYVUqK2rni
                                          MD5:B5B35AEC6CDFAAD5B25BC2FEFFB65FB0
                                          SHA1:E6BE61074D3DCC11F53FC81B0FB533832E6481D8
                                          SHA-256:A7A4E133D4AACD25A8E135676A15453C25B924A99356BCB4118CAFAA22F66066
                                          SHA-512:9168DF919D02C5DDF324966101A6D8BABC77CD34B4888E607B425E705DB9557E156A4BAD16DFD3C726A3FD370AE263BA8F8A52BE62A9BD765B8EB3C3F7FD6407
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^b..^b..^b..&..^b..6g..^b..6f..^b..6a..^b..6c..^b..&c..^b.v.c..^b.U7c..^b..^c.._b.U7g..^b.U7b..^b.U7...^b.U7`..^b.Rich.^b.........................PE..d...8..g.........." .....(..........."....................................................`.........................................`9.......9..................................t...@.......................`...(...`................@..8............................text...k'.......(.................. ..`.rdata...[...@...\...,..............@..@.data...(...........................@....pdata..............................@..@.qtmetade...........................@..P.rsrc...............................@..@.reloc..t...........................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCOMPASS_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):513536
                                          Entropy (8bit):6.228865745475452
                                          Encrypted:false
                                          SSDEEP:6144:ICUdIydi6hckUW25QqnOELi4e23dyjk7hOgl7OGi18ttFHP6gj11FNB+qiwrOhal:IXi6EW25QoOELwgdOvgHygjrmm
                                          MD5:399F8B310DBC01696C3DDB6CE788C564
                                          SHA1:82FB9A77B710367DA8D2154A946B0BCA92369B93
                                          SHA-256:B389F5986484FB17F814B4B78211BE98AAEBDF95A803BA9A63ED21BD4BC7A75B
                                          SHA-512:F4A355EA7E115C7C8B7FBAF37195ABC7D995CAC439924C048BA9FE2D925D191379462072D68C9329B9D8344061E16C6BD1101573EFA3869B87313245BC608B24
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.e.a...a...a...h...k...3...v...3...i...3...b...3...e...*...c......g......h...a..........z......`......`......`...Richa...........PE..d......g.........." .....*...................................................@............`..........................................{..|....|..@................'............... ...~..........................(....~...............@..8%...........................text....(.......*.................. ..`.rdata..2D...@...F..................@..@.data...H#...........t..............@....pdata...'.......(..................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc... ......."..................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCORE_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):359424
                                          Entropy (8bit):6.110250673660502
                                          Encrypted:false
                                          SSDEEP:6144:egGbJ/wl8Zg7MwSg3KkOdy/eceJc4kb6QHyHhJUDVZqXr/4tUPtGh3J8:HGbJ/xtzy2vU6m
                                          MD5:72617BB41D6B8FFBD21C41B656743F15
                                          SHA1:D0450960CA791E5089D94F28685D44FE7B66D9DA
                                          SHA-256:4E2DEEB11349005DB7C7C66AB894EF993C3B0ED77C67E9E6DCF0B733A77CA7F5
                                          SHA-512:405D97ADFB5D5DE6B7A980491CDD1C295EF13ED1145777C15EAD77661DB568E0EE253437AE6F81C2F564F5155FACA60A1271A0A9464F7282759CA640FD8E3627
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........RE4R3+gR3+gR3+g[K.g^3+g.[.fJ3+g.[/fZ3+g.[(fQ3+g.[*fV3+g.K*fP3+g.C*fT3+g.Z*fU3+gR3*gX7+g.Z.fB3+g.Z+fS3+g.Z.gS3+g.Z)fS3+gRichR3+g........PE..d...p..g.........." ................(.....................................................`..........................................M..|....M..@............p..4..............................................(........................ ...........................text............................... ..`.rdata...e.......f..................@..@.data...0%...@.......*..............@....pdata..4....p.......@..............@..@.qtmetad.............^..............@..P.rsrc................`..............@..@.reloc...............b..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCORK_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):446464
                                          Entropy (8bit):6.568690443444106
                                          Encrypted:false
                                          SSDEEP:6144:nO9LDFnmdy+DvALZLBo2os4hzkcjxa1jW1o6cjSNxGQTgaOnPjS3oSSPUa+VXqXt:O9dmdy+DoLC9hzkctUjW1oVjSNOnOY
                                          MD5:5209609C3F800F5B30BF5F3BD7091E89
                                          SHA1:62DBACC264BA0DD9AE839767FE2323C693807D7D
                                          SHA-256:A3D3031B665E5C1E2A8992826A57297E00DD3B7EA7EB559084E8BA204ACC15FB
                                          SHA-512:05EFB8E07D73EBD36E655A1D02C152758ABDBD43D0F65553BC71BC3B2D252843666C94A9CB69F4510FD21FB375254A24320D7C644E3BBF0706E7941628A241C9
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=...n...n...n...n...n..o...n..o...n..o...n..o...n..o...n..o...n..o...n...nw..n0.o...n..o...n..o...n..o...n..}n...n..o...nRich...n........PE..d...)..g.........." .....J...........+....................................... ............`.........................................P...|.......@...............`*..............x....Q.......................R..(....Q...............`...............................text....H.......J.................. ..`.rdata.......`... ...N..............@..@.data...8"...........n..............@....pdata..`*.......,..................@..@.qtmetadQ...........................@..P_RDATA..P...........................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCSF_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):175104
                                          Entropy (8bit):6.11735671904995
                                          Encrypted:false
                                          SSDEEP:3072:9Y0G2KFUjBfARsbW/OrqDwkqT2QuwU6iVOYWXUqKK5tAt34tUgj5Eg8v0/Vb:uf2eABnbIOrqbqTDuwU6iVOYWXUqKK5X
                                          MD5:8EB327D1029B136E4D7A71095022D062
                                          SHA1:B5C1874A4E23EE1FFC9EAAF272D4627EAD2609A7
                                          SHA-256:C426A8A164ABFFD2569811AD6E808DD575ABE10E472C68EDE69E9B6D6946D638
                                          SHA-512:29ED58A53A60CEF2AFC9B5824AB7FE2E47EE78C2F59A67858FC8ACB82D1409C622CDC7D7537AC32B7807D6C43971E95DD75A37E30CD381A5AB35ADE67C48DC8A
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................................3.........3.....3.....3.y...3.....Rich...........PE..d...-..g.........." ................8.....................................................`.............................................x...(...,..............................................................(.......................p............................text............................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QCSV_MATRIX_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):128512
                                          Entropy (8bit):5.681739065236602
                                          Encrypted:false
                                          SSDEEP:3072:WN4ouHYzbyr5a1tAIyrSvfHwUKiVYWXUqXwrTt34thaPtaGbBvIiH/:sz+Yzia3vfHwUKiVYWXUqXwrTt34thaJ
                                          MD5:C56F2BC406754EE7FCC98F207DF7E6A4
                                          SHA1:6BD56A580AAE0F5268F2E47205201D3E980B9425
                                          SHA-256:8F3B7191F8E63451C97E050197C95797823041318AB632B4890563A8AAD25C4C
                                          SHA-512:10B3369D8CCE4BDEBAC0F1194924E936A8B834B68432D55B4ABDA4AA85E6D4D9DB756823115B6C2E37B02F87FDFFC9CE717F6B977623325BABC5FD14AA0BC082
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o......o..j..o..k..o..l...o..n..o..n...o.D.n..o.g.n..o..n.2.o.g.j..o.g.o..o.g...o.g.m..o.Rich.o.........................PE..d...&..g.........." .........t.......~.......................................P............`..........................................<......T=.......0.......................@..................................(....................................................text...K........................... ..`.rdata..hD.......F..................@..@.data...............................@....pdata..............................@..@.qtmetad>.... ......................@..P.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QDOT_PRODUCT_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):92672
                                          Entropy (8bit):5.699025601635425
                                          Encrypted:false
                                          SSDEEP:768:ZH/4VAVjyv3/I+5sjlfsUbsqA4HGNtYAG7RehRRldqKqhaaShhNt42L2XI0:54BoSstswsb4HM9BQbohh/FL2XI0
                                          MD5:7E8B270B0F5D6FAC1C08287A2311F182
                                          SHA1:922F7BC5D619A87DE976FD245C92807B0D9D25E1
                                          SHA-256:8DEBB1DE532E8F19910A5171BC17A4F61D95F64EA218A0BA06428F629819989A
                                          SHA-512:39083C9BA8003B1E2D0E96BE80468D71D0CAEF02D8A528F83A59BEDA646BDC8AB73520AE66AE6BE6E4727F2C90D18D7833812946EF512410F4B299D738B40695
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................).........................................4......[.........^..4......4......4.E....4......Rich...................PE..d...O..g.........." .....z..........Hs....................................................`.................................................t...,............p..L...................0.......................P...(...P................................................text...;y.......z.................. ..`.rdata...............~..............@..@.data........`.......N..............@....pdata..L....p.......V..............@..@.qtmetad.............`..............@..P.rsrc................b..............@..@.reloc...............d..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QDRACO_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):667136
                                          Entropy (8bit):6.34619241274607
                                          Encrypted:false
                                          SSDEEP:12288:JN/JS7wk02GaPVBbhBuMfhar4oKEis9lSiHyu:H/JYbtfhar4o4s9N
                                          MD5:5B08EE82E421440576CC76FA55C815B0
                                          SHA1:9CB7BB486FD098E4D727820662B3247A1CDB2681
                                          SHA-256:04C5A5E11C5679B72AC7901EF3850BFEA96A37AA85CE4DE82EAF3D04F41A1417
                                          SHA-512:F954E7A36F2B3274DBE8123C96B344DDD770F7DD433DA4B5C0ACAC0ECA14ADDC08E2AD810FD7D58D03169D131B558FD35259B0E4045C30410EC25A4B980B5B7B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.[.v.5Iv.5Iv.5I...Iz.5I$.1H~.5I$.6Hs.5I$.0Hl.5I$.4Hr.5I=.4Ht.5I..4Hp.5I..4Hq.5Iv.4I*.5I..0H0.5I..5Hw.5I...Iw.5I..7Hw.5IRichv.5I................PE..d.....1g.........." ......................................................................`.........................................`...........@....`...........I...........p..t...............................(....................0..0............................text...[........................... ..`.rdata...[...0...\... ..............@..@.data...@W.......P...|..............@....pdata...I.......J..................@..@.qtmetad.....@......................@..P_RDATA..0....P......................@..@.rsrc........`......................@..@.reloc..t....p......................@..B................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QE57_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2413568
                                          Entropy (8bit):5.788428616549328
                                          Encrypted:false
                                          SSDEEP:49152:jvh3MIAWPmR2DXCVLDzh5mJ8dIfialhjj/:jx+WPCVqfvjT
                                          MD5:6FCB8364953136BD82083C3D83811BA1
                                          SHA1:ABBC9B532F13CF6EF25FAC46F25E534BD294171C
                                          SHA-256:5D1595E5041B3773B3755D16E1AC291F04E99EE429479398410586434450C320
                                          SHA-512:391C676EEFBF7E4271955E0C7BCAB0F0FA0BB569E92D8BEAC6F8F538F9B43EC2FA19C72FE5DDFD4FC874EB29170DFC2640F22C5B43DBB88B3F8D93233F9F55B5
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........GY.s)..s)..s)......s).P....s)...,..s)...-..s)...*..s)...(..s)...(..s).u.,..r).H.(..s).k.(..s)..s(..q).k. ..s).k.,..s).k.)..s).k....s).k.+..s).Rich.s).........................PE..d...1..g.........." ........................................................ %...........`..........................................f .|...\g .......$.......#...............$..;..............................(....................................................text............................... ..`.rdata..............................@..@.data.........!....... .............@....pdata........#.......#.............@..@.qtmetadr.....$.......$.............@..P.rsrc.........$.......$.............@..@.reloc...;....$..<....$.............@..B........................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QEDL_GL_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):40960
                                          Entropy (8bit):5.56216524552819
                                          Encrypted:false
                                          SSDEEP:768:NB//tTSg1XQ9BbTYqIb10G7uBVtpnoc+G9/qxyVl2B6Zq4AYUXRL:NB//Bhg9tYqIaPupxyVl2B6ZqLX
                                          MD5:D0035DFB056E4D41C22ADBC73A0610F5
                                          SHA1:C9BBA2F02EA2E19711DDB1694FB23D1783F90666
                                          SHA-256:A854FE42BD3DF262308C0AA558D9C4BD72E7A02503CE97A32B21584997640271
                                          SHA-512:80D89E6B5B45397EFA8CAD1C59BCB37B3527024334E086C9C97717ED8BB18FDAD055CEC05A393DAD1E903ED57F626892A8AD0EB2BA4833394138DB588F8D3A20
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5..T...T...T...,8..T..<...T..<...T..<...T..<...T..,...T..k$...T..H=...T...T..tT..H=...T..H=...T..H=T..T..H=...T..Rich.T..................PE..d......g.........." .....@...^.......A....................................................`..........................................~..|...\...................d............... ....f.......................g..(....f...............P...............................text....?.......@.................. ..`.rdata...J...P...L...D..............@..@.data...X...........................@....pdata..d...........................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QELLIPSER_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):179712
                                          Entropy (8bit):5.852434135668565
                                          Encrypted:false
                                          SSDEEP:3072:4hxnD6aRnrTiNTOPIGx2WhkaFzRRfxXUfBG2JyKD2ZEeyaYstPuUSikVYWXUqX8j:u7yNO2WVzRRfVUfBjkKyZdyaYstPuUSY
                                          MD5:66A1CE3D888299DD5BE35A198D3F4193
                                          SHA1:A50F711813243687966E82C8074199EE6D0CA5FA
                                          SHA-256:3992F7A2AEEEC2B0F980945CA7E234CF9B5A3E3DBC22175B7CA7E32F33EA15F6
                                          SHA-512:54333662EB185F693AEEA7B75F5A1AEE101AD863E7DB98AD1997DB5065388560C73E772B2855338594BE37F0704046F39A348A83F8C0586DD8BEC70D7A51DAE7
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.i.,..H,..H,..H%..H$..H~..I8..H~..I$..H~..I...H~..I(..Hg..I...H...I*..H...I%..H,..H...H...I*..H...I-..H...H-..H...I-..HRich,..H........PE..d...u..g.........." ................ .....................................................`.........................................`...........,............... ...............................................(....................................................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. ...........................@..@.qtmetad@...........................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QFACETS_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):284672
                                          Entropy (8bit):6.16807195752963
                                          Encrypted:false
                                          SSDEEP:6144:VwYd2oduCK61HFSx6i61ySbDXUqXQ2rtmhaPqjaGx5OYWZmA3dtlsCK8Ity5Sqzp:e3o3HFSx6x
                                          MD5:12526E76341EF89259D59CAEC18045D1
                                          SHA1:349A87B9D215182D333ED5C775E20D8411F8CDBF
                                          SHA-256:73716620D787107D48AD76A589EB05BD425E47A4BC0ED9C7B5043811EB624FAF
                                          SHA-512:607B695650C68E3FE92CD7BF4767259F1746187D062EC77C1D8ADAC040B9E5ACDEBE4CC3523B42535655DC35BC9269212E7D2747827BF4F7FB276459CB4BD321
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................)..................................S......p.........'..p......p......p.E....p......Rich...........PE..d...<..g.........." .........z............................................................`..........................................X..|...|X..@............`..x...................@.......................`...(...`................................................text...{........................... ..`.rdata...6.......8..................@..@.data........@......................@....pdata..x....`......................@..@.qtmetad.............B..............@..P.rsrc................D..............@..@.reloc...............F..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QFBX_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):7794688
                                          Entropy (8bit):6.463547042992633
                                          Encrypted:false
                                          SSDEEP:49152:jto9kTHzq7czDlqm32WKMI57d6H+6yBg6CZNjHBEo/Uo9JKmjQwqZX+6+Yj7rne7:5ooDlq1BsMJ+ovWh4rdOqIkMVUaT7
                                          MD5:F76AB453BFBE4065FA95905950765C21
                                          SHA1:D6C512637C868ED73ADA1C38FEC3973065DF82F7
                                          SHA-256:646DC8D582D9A93B5FBC62C5212F698463EBF50537B2FEB7928EA1E560DBF34D
                                          SHA-512:4C6FF309B4B49927FD18387FAAABDD3C645743B8BB093963DB33E3971F4A366E386E90D29DE0BEFAABE15345D2D723FC625A23BBFAB9A13CD42EF53170DDE45B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M.KS..%...%...%......%..8....%.[.!...%.[.&...%.[. ...%.[.$...%.B.$...%...$...%...!./.%... ...%...$...%...$...%... ...%...%...%.......%...'...%.Rich..%.........PE..d...8..g.........." .....vU...!.....\.P......................................pw...........`.........................................psp.|....sp.......w......`s.\............ w..K..0.b.....................P.b.(...P.b...............U.8............................text....tU......vU................. ..`.rdata..$w....U..x...zU.............@..@.data....G....q.......p.............@....pdata..\....`s.......s.............@..@.qtmetadE.....w.......v.............@..P.rsrc.........w.......v.............@..@.reloc...K... w..L....v.............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QHOUGH_NORMALS_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):100864
                                          Entropy (8bit):5.986356949370447
                                          Encrypted:false
                                          SSDEEP:3072:588ia+Q4c3APlOqOGkP9wciYWXq5Wt34tUEpY+:58ha+Q4gUOqfIwciYWXq5Wt34tUEpY+
                                          MD5:7A1C478B641E5E42BDB17D52DB27BCA9
                                          SHA1:DB5119B53A0CFA9FB4D2A5C4AF48891B4D1A0712
                                          SHA-256:FCDA7F52F90ECFB749C8E4289271C209DDC4685DBA3944A41894E2551DB247CB
                                          SHA-512:B5112CACD7A0A9F36B769CE496FD66CB5B1EB628424FBAAFF43E4E38EF113CFF031C11A8EA91D0709F7FB11B72982A96622E49043879E14FAABEAAD2A5A20C53
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+n..+n..+n..S...+n..Ck..+n..Cj..+n..Cm..+n..Co..+n..So..+n.x[o..+n.[Bo..+n..+o..*n.[Bk..+n.[Bn..+n.[B...+n.[Bl..+n.Rich.+n.........................PE..d...j..g.........." ......................................................................`.........................................P3.......3..@...............D........................................... ...(... ................................................text............................... ..`.rdata..L...........................@..@.data................l..............@....pdata..D............r..............@..@.qtmetado............~..............@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QHPR_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):364544
                                          Entropy (8bit):6.4959469184242735
                                          Encrypted:false
                                          SSDEEP:6144:I7lFMU+DIJaUthVezRKgC294EAA/dOY3T69W4cOjdKrgb33uVq5UtmUEeXjb:IxSU+DIU6p2ZO2W90P
                                          MD5:182794EC6C7E81E6FE33AD5EFEC2CED6
                                          SHA1:6F7C46A98DC62899A5E3869F32AC403166CE4C6F
                                          SHA-256:691A4E08C5D84CFE3E6FD5CA2D8088221AF86FD27657FA5B452E2951D25DD1F1
                                          SHA-512:29BE9CA3538F88179B4AAAFB88227A8F0EBADE370758E0B312C901CBBE8BE52ABBEF13433016FB0F3888C36A9EF25970FD7E5D43E4F754B994BB84D56BB3715C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.i....................6......U.......U.......U.......U.......L...............................................................Rich............PE..d...)..g.........." .....R...b......xP....................................................`......................................... ...x.......T................+.................. .......................@...(...@................p...............................text....Q.......R.................. ..`.rdata..B....p.......V..............@..@.data....,...p.......R..............@....pdata...+.......,...X..............@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QJSON_RPC_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):78848
                                          Entropy (8bit):5.706468056806483
                                          Encrypted:false
                                          SSDEEP:1536:9k4/Mci6r3c8rqCn4ECmDaIwZMf7SHQQg:9Wir36CnDCmDtes7o5g
                                          MD5:2A1AF3679C02070A52A13B75B548310F
                                          SHA1:912BBFEBABAEFDB581CD88D2695AC5B8EA9A08C0
                                          SHA-256:34CE6BD3C5981C8C6E0EA329F30473E10511B01A5C901E70820CC0684F90B2DD
                                          SHA-512:C3490BB968E6B0C4FFC4458F7AD4AC0C67610C87C868A9BE436EBED641BAD820DB8297A9F92FA2244FDE3B5B50C4E409DD292FF2B792518AD7BD9657536F82D0
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.....o...o...o.......o.H.j...o.H.k...o.H.l...o.H.n...o.Q.n...o...n...o...n...o...n.I.o...j...o...o...o.......o...m...o.Rich..o.................PE..d...&..g.........." .................y....................................................`.........................................P...........,....p.......P..................8...@.......................`...(...`................................................text...{........................... ..`.rdata..D...........................@..@.data........@......................@....pdata.......P......."..............@..@.qtmetad]....`.......,..............@..P.rsrc........p......................@..@.reloc..8............0..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QLAS_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):331776
                                          Entropy (8bit):6.093352707192958
                                          Encrypted:false
                                          SSDEEP:6144:rFQnkwlKk8uChUCw63q16OAVsLaCXPUy+VOYWZXUqX8SI2rrAt3d4hlUPytQ54GY:ekw0k8dUZas2CrLh
                                          MD5:838D1AEFC3FDBC6E138D6513B714FE7B
                                          SHA1:5B4C6818BFE34684138757E1690CAD5A730A36CE
                                          SHA-256:E242F8C764A015DEA36CCA2A183A431A53680BD5E5FC4F24F9D878909E90A61D
                                          SHA-512:66717B006A31FE9D8001F0A1AFCE4961C7D8DED050CC9C67C7EBDCF4B85902F10D49B5E1825547049224A63A0F6991C97EDDA3566E82C45476E1C20D51A6789C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................;...................(...................b.............Rich....................PE..d...k..g.........." .....r..........@[.......................................`............`.............................................|...L...@....@..........|............P.......=.......................>..(....=...................%...........................text....p.......r.................. ..`.rdata...\.......^...v..............@..@.data...............................@....pdata..|...........................@..@.qtmetad.....0......................@..P.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QM3C2_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):420864
                                          Entropy (8bit):7.017370754405623
                                          Encrypted:false
                                          SSDEEP:6144:2Aa3aJFF+Po+4qnyRil/VcrSv2oGjDLXabtl+qTG1OmRwMMkuIO1ryswPijPuUKw:7PLFfqnuTo2D3AG14FktOh
                                          MD5:B623F80A4A8EA781520D28E372871E6C
                                          SHA1:E4BCC0D38771C80AD74515F713030C3E4A3FAEE4
                                          SHA-256:B47DA49ACB85BC7444F0B541B2C291711E2ABC3F4D6C3C7BFA40E160F0FB1C7E
                                          SHA-512:F41E1D6A78D1B94888D2A9D239220C39FB3F33F43EA484BB863D4AEEEE047FE61C35716012C0265BBD5F8D7A25E37DFC11870B333D958F6E637DF25D87303258
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...rj.rj.rj.{.F.xj. ..dj. ..zj. ..pj. ..vj.9..pj....zj....uj.rj..i....zj....sj...*.sj....sj.Richrj.........PE..d...P..g.........." ................x.....................................................`..............................................R..Pj..@............p..................................................(....................................................text............................... ..`.rdata...r.......t..................@..@.data...h....P.......8..............@....pdata.......p.......H..............@..@.qtmetad.............X..............@..P.rsrc................\..............@..@.reloc...............^..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QMANUAL_SEG_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):316928
                                          Entropy (8bit):6.223565644541473
                                          Encrypted:false
                                          SSDEEP:3072:zdxdtadpwya3eLy5j3OtVVVmMaW+2FdEXwxCJA1jUJ18oxzD/2a7IXACAX2r:5YnMgMSz18umXwxssW18o9bE9AX2r
                                          MD5:6282EFE661D435A3D98DB5C7FD214B0E
                                          SHA1:47BEC89BBEC8D729F8E663328B4D12243A864411
                                          SHA-256:7389CE534D96406574370A2C0D3439D1F39A2D8B158E9AC60C8AC643A15433BF
                                          SHA-512:6A624FE9D2E900CB3665DC8DF51AFF111B42F5E60A4DF15C5CD26D7792538508D6C1193C3516E4A3593E5576423DC9C81FDF76E0F2F1AECE79A571800FAB36E2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................G...................................4.....5........t..4.....4.....4.....4.+....4.....Rich...................PE..d...x..g.........." ................t........................................ ............`..........................................$.......%...................+..............P...`...........................(.................... ..0............................text............................... ..`.rdata...m... ...n..................@..@.data...P%...........|..............@....pdata...+.......,..................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QMESH_BOOLEAN_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1361920
                                          Entropy (8bit):6.441693455500275
                                          Encrypted:false
                                          SSDEEP:24576:6YpS27MkXILSoe6WBg2GXfc9pFB9pF/WOZNVJmC:6EMk4pe6WBg2Gvc9pFB9pF/WOZhmC
                                          MD5:2B9053038D000CC42E3A1B8B8862C971
                                          SHA1:97C3274374A640F0E79F93558C8BC6615F5E5568
                                          SHA-256:3A1A9BC4F3C77E863B864BDB9749B01664EE2A2E121BBEB98E982F3447F6A721
                                          SHA-512:0DD811012295FE9EFBD3F7BECBEEB59D395049ADD9D2A175B080AF7E479D52CF8D071CEE5752E6105C115C7D25C825FFF127E66EF5607BB9D1DEF8F71E05F6EF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........NX+./6x./6x./6x.W.x./6x.G2y./6x.G5y./6x.G3y./6x.G7y./6x.W7y./6x.Y.x./6x$_7y./6x.F7y./6x./7x.,6x.F3y./6x.F6y./6x.F.x./6x.F4y./6xRich./6x........PE..d...x..g.........." .........J......X........................................ ............`..........................................w......Dx..h............`..\...................p...........................(.......................p............................text............................... ..`.rdata..H}.......~..................@..@.data...p0... ...*..................@....pdata..\....`......................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QMPLANE_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):135168
                                          Entropy (8bit):6.02419104352401
                                          Encrypted:false
                                          SSDEEP:3072:+yeGccIj8jidrMGzR2GvUjgWjidUykuJHgkX8QK5yn34yqPE0i0PpJ:xetNWihzR2GsjgQiWReHgkX8QK5yn34n
                                          MD5:818363094BDA8CEDF7A3A763F9DCBFE4
                                          SHA1:EEB593167B2E3B3284A686832B2304EEFA7E50DC
                                          SHA-256:5948F61BDBD5366012C56418C21FA5665A16C295B5D492874C78D4535497E00C
                                          SHA-512:2723BE8BA0E6332966F8A13FC3E69EC89E5CF885EA4DF91C43E56E3D4ECEBEC24E0CEFFC9E051C7B0B363A5EAAEE2B3F1EB5CD99FCDB006540A1E84EFB45B0D4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5..5..5.....5...0...5...1..5...6..5...4..5...4..5.h.4..5.K.4..5..4.g.5.K.0..5.K.5..5.K...5.K.7..5.Rich.5.........................PE..d...E..g.........." .........n......T........................................p............`..........................................u..|...,v.......P.......0...............`.......5.......................6..(....5...............................................text............................... ..`.rdata...C.......D..................@..@.data...8...........................@....pdata.......0......................@..@.qtmetad.....@......................@..P.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QPCL_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):316416
                                          Entropy (8bit):6.1927679608514135
                                          Encrypted:false
                                          SSDEEP:6144:/k2B70hUcIBUDc1NSkJjZsQzRUbgSQDXUqK55mUgjGqj4YKp:/k2BC6BUDc1wAzOQ
                                          MD5:D0917D3646F86D8DCDFE709547CDD7DA
                                          SHA1:BE36123C1DD825A91245B13DCFF2BC6A9914CA95
                                          SHA-256:1774ECAC1EBA3F56E74A0815D62763927DCE7EB0C1657D1275A277AAED351347
                                          SHA-512:642D453CB10398BEEE7B2746E32BFE6FDB650E85BE36C49127DDEF27C1BA47C07006DFE1F0A39A3F5F9F7552CB69133F3D47AA07D502C6DB8D91F1FF43496D84
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S{{..............b......Er......Er......Er......Er......\b......s......s......j......s..............s......s......s......s......Rich............PE..d......g.........." ................`........................................ ............`.........................................0...|........................'...................V.......................W..(....V..................H............................text............................... ..`.rdata..............................@..@.data...............................@....pdata...'.......(..................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QPCL_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):770048
                                          Entropy (8bit):6.354803561730781
                                          Encrypted:false
                                          SSDEEP:12288:faGFclpTrMvgd4IY9vht1Ccd8rQ+lQK3X5gPHl:J4prMzv8rwS5gPl
                                          MD5:599F1F3542B6FE33112F6382D0940E90
                                          SHA1:0D1A67C6F447E68C4BE6D5EB7D56137DDB89B57A
                                          SHA-256:D36076A06F5698F073B56834015A257B0945684B2D8E87CF4223D3823D76401A
                                          SHA-512:C6BFBEE4915C6315E8750AA35741C74771374F5CBF34F55FFDB70A9AB35DD8F91291DAFE0A7E7B737CD5D64C8DA9B285AD519A5D0A57D393C47D759EF0A21898
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...F.M.F.M.F.M.>NM.F.M...L.F.M...L.F.M...L.F.M...L.F.M.>.L.F.Mb/.L.F.MA6.L.F.Mb/.L.F.M.F.M.E.Mb/.L.F.Mb/.L.F.Mb/"M.F.Mb/.L.F.MRich.F.M................PE..d.....g.........." .....*................................................................`..........................................r..x....s..|............p...]..............X...0 ......................P!..(...P ...............@..8............................text...K(.......*.................. ..`.rdata.......@......................@..@.data....>...0...8..................@....pdata...]...p...^...J..............@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QPCV_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):108032
                                          Entropy (8bit):5.862335076596899
                                          Encrypted:false
                                          SSDEEP:3072:vFXiKQQSP+pAK0V1bmB05idIzV/SYDYWZXUqK5Gt3d4hagjGjs898jm:vFbZSjK0VU653J/SYDYWZXUqK5Gt3d4Q
                                          MD5:8A6C6D702D6BBA4C871F3DD53FA2798A
                                          SHA1:024A0AB1EB863D73FEE204A3586972908D650C93
                                          SHA-256:C996075B8E024900DC234617FDEE684A70B6485B30A475912DAFCC89762C14FC
                                          SHA-512:3B1AD8DB67D95FF70B40B76542BEA099861E84E94028633661227E5AE89E0B37244851714EEEA9B3CA67F89649A6B59108B02C1FF5A372A935D2D97DDEA33A2F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.E..............V.....V.......V.......V.......V...............O.........................................:.............Rich............................PE..d.../..g.........." .....................................................................`.........................................06..x....6..T...................................p...........................(.......................(............................text............................... ..`.rdata..&...........................@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QPHOTOSCAN_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):173056
                                          Entropy (8bit):6.28250687905917
                                          Encrypted:false
                                          SSDEEP:3072:sfuX2oK8zK6VZXHL6MeXVhpDHKTBfCQDEt6B3SJMhyvOU:YuX2/8zXPXHOpnpDHKTBqQo2hyvx
                                          MD5:B0B546CCB963E0AA404D0BF60B3BD1ED
                                          SHA1:11FB2F616C12C00075B2F15E2A1D14CF17CE45E9
                                          SHA-256:E54D57A7957F6ACF88345C143BCBC4B76850F1CED48F74A452C1DCBBD23D3188
                                          SHA-512:FA6C3194FF9B159089111762B9893F459514840C8434E57FB05AF3D8D89C94AA255D9DF11928E6C65084978E5F30F7066E795160E17B37F8A26AC7D9FABAE59B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f...".k.".k.".k.+...(.k.p.n.7.k.p.o.*.k.p.h.!.k.p.j.&.k.i.j. .k..o.*.k..j.$.k..j.%.k.".j..k..o. .k..n.+.k..k.#.k...#.k..i.#.k.Rich".k.........PE..d...6..g.........." .....d...B...... R....................................................`..........................................9.......9..................d...............<...P.......................p...(...p................................................text...[b.......d.................. ..`.rdata..<............h..............@..@.data...............................@....pdata..d...........................@..@.qtmetadp...........................@..P.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QPOISSON_RECON_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1346048
                                          Entropy (8bit):6.288854706571648
                                          Encrypted:false
                                          SSDEEP:12288:t2DZIuKxxUx0vcOe2HD9u7Hi1rudaUH3S9Wo3n4UBYuN+KEA/gb4Y+:CKxxUx0vcOe2Iu1rudaUHqesX
                                          MD5:53F46FFC523CEAB1FAAC4C667EB06168
                                          SHA1:C4FEB1473E0FD2B90DF289B98DF0399646D0BA6B
                                          SHA-256:62A7E7B2C1FB8C2F1543B2C8AA3D7CB4D4CACA0FF14F9DE73E19EFED2EB745F3
                                          SHA-512:F519F5029AD0C7C656256C6E6B7C78D465B6902BF96E180C54DB8CEB55BD84B5DA5D543FD770C20FBAE1FF368780D66F9ACEA9404D88FCF77513BDFF14410FFF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P..P..P..(..P...8..P...8..P...8..P...8..P...(..P... ..P..%9..P..P.."S..%9..P..%9..P..%9n.P..%9..P..Rich.P..................PE..d...8..g.........." ................D3....................................................`......................................... ...........@....P..........P|...........`...*..............................(....................................................text............................... ..`.rdata..............................@..@.data....%.......b...x..............@....pdata..P|.......~..................@..@.qtmetadt....@.......X..............@..P.rsrc........P.......\..............@..@.reloc...*...`...,...^..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QRANSAC_SD_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):523776
                                          Entropy (8bit):6.389601028187329
                                          Encrypted:false
                                          SSDEEP:6144:5bWXCihAWw8nKsZjlcsJULzI6d7W77NZ3VW02d19advWYo2HdDvd2aZLSPU6+VY5:56CiejqlcsJUYI7W77vMdd1iBdtm
                                          MD5:8F3A2705AD8A5E19C224B36E22BD6DB8
                                          SHA1:EBCD0FBF3009A8182E8DAB031F9F866B2852D06B
                                          SHA-256:7896DC19C928DFA9CDF1955696D144C555B6AACB944EBA62DC0870D9A97957EA
                                          SHA-512:FB751BCB18121A98D6BB175719E463CEBA158B981FDDEDAC197C99B873B2FE2FCC9E5FC9E1D08897FCAFA3C069705E9431366FA2C544476EA4274250920B34DE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................).........................................>............>......>......>.E....>......Rich...........PE..d...=..g.........." .........................................................`............`.........................................P..........@....0..........l*...........@..(...............................(.................... ...............................text............................... ..`.rdata....... ......................@..@.data...H....@.......&..............@....pdata..l*.......,..................@..@.qtmetad..... ......................@..P.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QRDB_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):172032
                                          Entropy (8bit):5.89641363334421
                                          Encrypted:false
                                          SSDEEP:3072:b6Cb6EUwSEadKUEFUIxigkChM0GpyUw8lgkswXpqwliOXUqXrjnmtUPGwMfci:56sZadKfUF5yM0SyvI5swXpqwliOXUqX
                                          MD5:D2CC1707FBAC27F315C2B3F6327E140F
                                          SHA1:ED511A987A2F7CC3D356DC9DC79570F6FA2F58C2
                                          SHA-256:A800B6DA1590B479D87C8438CCAD330B225A28D68DD79B9F9CF6D92D3AB56344
                                          SHA-512:50C0BCCD027E5422305178A4E65790B4F25C55402E5527FA96C4BF01283E11D422A3BB36B9E071B2A715ADDE6DDF27698857C13E7379C61C54F090A908B104BD
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.P./.>./.>./.>.&...%.>.}.;.:.>.}.:.'.>.}.=.-.>.}.?.+.>.d.?.-.>.4...-.>...?.).>...?.(.>./.?..>...;.(.>...>...>.......>...<...>.Rich/.>.........PE..d...`..g.........." ......................................................................`.........................................`...|.......,....................................e.......................f..(....e...............................................text............................... ..`.rdata...m.......n..................@..@.data................p..............@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QRIEGL_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):101376
                                          Entropy (8bit):5.785738063158019
                                          Encrypted:false
                                          SSDEEP:1536:xSYxmiiU4t+kpIJm2Ux6d6IjPI2kovWXv7liuKovWXvho6Ux:QMmiy+kCm2Ux6Ntg7lijvho6Ux
                                          MD5:797B066E161D1344E0C3E2903FE5F46B
                                          SHA1:725466588FA7D46A20108D66823FF8E36A967EAE
                                          SHA-256:34D2B492F6E636564FF2DB0C6CB26EB4BFD533E8F9D61A11B5B7E22E0A6D73A0
                                          SHA-512:467729520876F34FF3953BEDA3BA52E0AAB067A0150B1E956291EFF5EAFC6D4EFD1842482ADFA2C2FCDD4133799462A6173299987F39308AF36C78C3D9E39480
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.y.Yl*.Yl*.Yl*.!.*.Yl*.1i+.Yl*.1h+.Yl*.1o+.Yl*.1m+.Yl*.!m+.Yl*g)m+.Yl*D0m+.Yl*.Ym*.Xl*D0i+.Yl*D0l+.Yl*D0.*.Yl*D0n+.Yl*Rich.Yl*........................PE..d...>..g.........." ......................................................................`.................................................p...................................................................(.......................x............................text...[........................... ..`.rdata..............................@..@.data................r..............@....pdata...............z..............@..@.qtmetadP...........................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QSRA_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):462848
                                          Entropy (8bit):6.1517197219214514
                                          Encrypted:false
                                          SSDEEP:6144:sTrCuTSmCCDS+jV3nPAzNONxLAoaLPWYnzN3WnK3VoLw2iPuUjikVOYWZXUqX8Iq:xESfCDS+jV3sNOb9YzNe8
                                          MD5:CBC528A4688F05F18F323BB4A025F5FC
                                          SHA1:1EC1D2FCC448A7651B8B46C42CC3E99D66D89B6C
                                          SHA-256:9587E5617D41BDECE926A7F509DA4E4CC59D100BC6996D0053B50BC8445C4312
                                          SHA-512:D9F203DF2F268FC83588ADD08C578663A7517012009D43FA871CB08664C366CD023D92EB2A38F9379AC7929C3F44B3FA61BFEE73DFE1DFA0CE20FEDEF30BCD08
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..rr..!r..!r..!{..!|..! .. z..! .. q..! .. k..! .. v..!9.. p..!. t..!.. {..!r..!...!.. ...!.. s..!.d!s..!.. s..!Richr..!................PE..d...W..g.........." .........v......Ho.......................................P............`.........................................p...x......T.... .......................0..x..............................(.......................*...........................text...H........................... ..`.rdata..l...........................@..@.data...`...........................@....pdata..............................@..@.qtmetad............................@..P.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QSSAO_GL_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):69120
                                          Entropy (8bit):5.054303653190612
                                          Encrypted:false
                                          SSDEEP:768:UzW7GvL0IMf8zvQwhDMJnTR2xJKsJAkXM8AFZWPxrul2B6Z4T4AEdE4TQUV:cW7DfoYwZaGKH1oPxrul2B6Z4TDg
                                          MD5:63B24FE8EECC0DF28FC94E0C01D580EE
                                          SHA1:2DC8D461F06F2E18D77978FEE91E7B340F00643C
                                          SHA-256:930785E71302472EFDC198E225775B9F8BABC863BB909161BCB683F32CAAE713
                                          SHA-512:952D326BA29BC4396799355B4218BBD8C99399B6B02C979689FC94354A10A3ADE2CBB80B04FCE6CB1616A3ED1BB1BEEDE472C4F24CB09491ECB0BF22EA2F2302
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.Zb..41..41..41..1..41M.10..41M.00..41M.70..41M.50..41T.50..41..50..41..50..41..51..41..00..41..10..41..40..41...1..41..60..41Rich..41................PE..d...;..g.........." .....P..........4R.......................................`............`.....................................................@....@....... ...............P..8...............................(....................`...............................text....O.......P.................. ..`.rdata..6....`.......T..............@..@.data...............................@....pdata....... ......................@..@.qtmetad.....0......................@..P.rsrc........@......................@..@.reloc..8....P......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QSTEP_IO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):89088
                                          Entropy (8bit):5.659619833066197
                                          Encrypted:false
                                          SSDEEP:768:kD5tnELC2k08u7ZEQDRjCfHFZ9MR5tGSvWmjBhWy43mxJBLKdtz8DyChgxWA/Nrr:ijPsaQDRGPFZ9MR59pHctz6Xh1aKNqB
                                          MD5:FACF7AB3AE107401C49CB6714522E4FD
                                          SHA1:5B7A05D9D106502A103DAFDA0215EC90416EB291
                                          SHA-256:69CDB02A45887D86DE988CF990E54B6D370B832EB9682AB8FB5D06FAB0CB24A4
                                          SHA-512:DF65C33654248B5F492130F8B018D39E18A236FD2181742ACB2F8BD83B48C11226294C24996A0ED2A8E57048C2AEDFA0D8587E38C5AC1F6BFCE3B25429BE45F3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..Mx...x...x...q.+.~...*...o...*...p...*...z...*...|...3...z.......~......|......w...x..........}......y....G.y......y...Richx...................PE..d...F..g.........." .....v...........o....................................................`.....................................................|............p......................0.......................P...(...P...................X............................text....u.......v.................. ..`.rdata...............z..............@..@.data........`.......@..............@....pdata.......p.......H..............@..@.qtmetad.............R..............@..P.rsrc................T..............@..@.reloc...............V..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QTREEISO_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):651264
                                          Entropy (8bit):6.753107640302034
                                          Encrypted:false
                                          SSDEEP:12288:0vZsNBg/Oe0GGsK0EvT4LpAyBxe5OWRJd2jZRXyq6:0WNBgP0GxRMm3e5OWRTq
                                          MD5:CC8768E57582CE990A60B07A7FBE9A05
                                          SHA1:96058C0CFDA8E0318E2B6617D58803CFACE0DFB2
                                          SHA-256:719D97EF2D0A68290F0EC5DF1E5A3270C0F9835C019A2D2000008367E41F2B47
                                          SHA-512:825B6EBA254DA844805DFDAEC2623132B34666584076502EDB5DA762E704B0E9C7FE693254E8A6B22A92780B88D013D65F294C33AB8F81F3D08716CD88B4E35B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....@...@...@......@.V.D...@.V.C...@.V.E...@.V.A...@.O.A...@...A...@...A...@...A.'.@...E...@...@...@.......@...B...@.Rich..@.................PE..d...`..g.........." .........................................................0............`..........................................*..|....+..T...............|>........... ..P...0?......................P@..(...P?..................P............................text............................... ..`.rdata..............................@..@.data...p...........................@....pdata..|>.......@..................@..@.qtmetadr...........................@..P.rsrc...............................@..@.reloc..P.... ......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\QVOXFALL_PLUGIN.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):422912
                                          Entropy (8bit):7.425381454206718
                                          Encrypted:false
                                          SSDEEP:6144:DVkjDczIQay6XxQM1+mXzoIpGUAlvtPJ2PaluoVuH9GGH8QXAtWfwOGjHhPuXik1:DWPDvr71NxAhUPvEGH9wv
                                          MD5:FF8997D34D249D75BA175C6013E9E7F0
                                          SHA1:3257506C7279879FF2235BC7BFE0702A498BB222
                                          SHA-256:BFA3E09AE7F649A4DD99E9667CBB715E75D0C6F4E6749EDC8EF37CE489626A58
                                          SHA-512:AC29C32179F2CE9D7AAF4048475A2600A209BA199D829F57E93B686B45C17EF6D3FEFDF322FA6BEBF2243E7943EBD08A754BBD3D7B79B0AB7EA9478BC6E5438F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.$..|J..|J..|J.....|J.^.O..|J.^.N..|J.^.I..|J.^.K..|J.G.K..|J...K..|J...K..|J..|K.6.J...O..|J...J..|J......|J...H..|J.Rich.|J.........................PE..d...j..g.........." .........r............................................................`............................................|...l...,....................................O.......................Q..(....P............... ..0............................text...;........................... ..`.rdata..p<... ...>..................@..@.data........`.......H..............@....pdata...............T..............@..@.qtmetadA............b..............@..P.rsrc................f..............@..@.reloc...............h..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-0I154.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):89088
                                          Entropy (8bit):5.659619833066197
                                          Encrypted:false
                                          SSDEEP:768:kD5tnELC2k08u7ZEQDRjCfHFZ9MR5tGSvWmjBhWy43mxJBLKdtz8DyChgxWA/Nrr:ijPsaQDRGPFZ9MR59pHctz6Xh1aKNqB
                                          MD5:FACF7AB3AE107401C49CB6714522E4FD
                                          SHA1:5B7A05D9D106502A103DAFDA0215EC90416EB291
                                          SHA-256:69CDB02A45887D86DE988CF990E54B6D370B832EB9682AB8FB5D06FAB0CB24A4
                                          SHA-512:DF65C33654248B5F492130F8B018D39E18A236FD2181742ACB2F8BD83B48C11226294C24996A0ED2A8E57048C2AEDFA0D8587E38C5AC1F6BFCE3B25429BE45F3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<..Mx...x...x...q.+.~...*...o...*...p...*...z...*...|...3...z.......~......|......w...x..........}......y....G.y......y...Richx...................PE..d...F..g.........." .....v...........o....................................................`.....................................................|............p......................0.......................P...(...P...................X............................text....u.......v.................. ..`.rdata...............z..............@..@.data........`.......@..............@....pdata.......p.......H..............@..@.qtmetad.............R..............@..P.rsrc................T..............@..@.reloc...............V..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-2U5C6.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):809984
                                          Entropy (8bit):7.311103595541181
                                          Encrypted:false
                                          SSDEEP:24576:McEE5PGNJcyJDJKpEW+QCWYCG9XnZJmy5njJ4:MLE5P2ayJDJqgWY9dNJjJ
                                          MD5:9014EA0027A81C883FF4306AF520ECA1
                                          SHA1:DF47F88964B5BC61B4E64E52F82ADA16CD2621FB
                                          SHA-256:1088FC098DB5CAB69AB2EBDB746499917427153B638236874E4D4E787CAA7C48
                                          SHA-512:DB62B6D9CD89D373D6899AC72BE54EEF40D0661208DD3C4D4A339215268AC2064AB11E17F9282CCB6E31D957DCA10DAA10379A711914B17268BCFBD71251FEBB
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........j..j..j...%.j......j......j......j......j......j..6...j......j......j..j...n......j......j....I.j......j..Rich.j..........................PE..d.....g.........." .....x..........0?....................................................`..........................................)..|...L*..h............P... ..................@F......................`G..(...`F...................#...........................text...kw.......x.................. ..`.rdata...............|..............@..@.data...X....0......................@....pdata... ...P..."...&..............@..@.qtmetad.............H..............@..P.rsrc................J..............@..@.reloc...............L..............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-3BH9T.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):199680
                                          Entropy (8bit):5.994057512347577
                                          Encrypted:false
                                          SSDEEP:6144:7Zf559/yXbc5N6Od7wUZiVOYWZXUqX8wrAAt3d4thaPytaGmdFSVX0Go3E:7Zf1qYXd
                                          MD5:B0CC9E45C8D303F745F0B68762C8A112
                                          SHA1:CF860A5490A7722B992A5AA783D463F5A40B8DC0
                                          SHA-256:3A224F72F4338C977E1CBEFDFCDEF4FF11BB1BE6B1283365710F746B98F74AB0
                                          SHA-512:318BB5009060E937B4D4EA4569458083BBD4D9D81EF07027AC41CD0CAF18D36FEDE6007514190FE86361A0BBA19EE0DE1A59B0B312C32BFEC0F4D4110AD57BF4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......(b.l...l...l...e{?.f...>k..x...>k..d...>k..n...>k..h...'{..n...l...E....s..j....j..k...l........j..k....j..m....jS.m....j..m...Richl...................PE..d...V..g.........." .....0...........$.......................................P............`.................................................P...|....0..........,............@......@.......................`...(...`................@...............................text............0.................. ..`.rdata..t....@.......4..............@..@.data...............................@....pdata..,...........................@..@.qtmetad..... ......................@..P.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-46B0F.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):770048
                                          Entropy (8bit):6.354803561730781
                                          Encrypted:false
                                          SSDEEP:12288:faGFclpTrMvgd4IY9vht1Ccd8rQ+lQK3X5gPHl:J4prMzv8rwS5gPl
                                          MD5:599F1F3542B6FE33112F6382D0940E90
                                          SHA1:0D1A67C6F447E68C4BE6D5EB7D56137DDB89B57A
                                          SHA-256:D36076A06F5698F073B56834015A257B0945684B2D8E87CF4223D3823D76401A
                                          SHA-512:C6BFBEE4915C6315E8750AA35741C74771374F5CBF34F55FFDB70A9AB35DD8F91291DAFE0A7E7B737CD5D64C8DA9B285AD519A5D0A57D393C47D759EF0A21898
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'...F.M.F.M.F.M.>NM.F.M...L.F.M...L.F.M...L.F.M...L.F.M.>.L.F.Mb/.L.F.MA6.L.F.Mb/.L.F.M.F.M.E.Mb/.L.F.Mb/.L.F.Mb/"M.F.Mb/.L.F.MRich.F.M................PE..d.....g.........." .....*................................................................`..........................................r..x....s..|............p...]..............X...0 ......................P!..(...P ...............@..8............................text...K(.......*.................. ..`.rdata.......@......................@..@.data....>...0...8..................@....pdata...]...p...^...J..............@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..X...........................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-4RO78.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):173056
                                          Entropy (8bit):6.28250687905917
                                          Encrypted:false
                                          SSDEEP:3072:sfuX2oK8zK6VZXHL6MeXVhpDHKTBfCQDEt6B3SJMhyvOU:YuX2/8zXPXHOpnpDHKTBqQo2hyvx
                                          MD5:B0B546CCB963E0AA404D0BF60B3BD1ED
                                          SHA1:11FB2F616C12C00075B2F15E2A1D14CF17CE45E9
                                          SHA-256:E54D57A7957F6ACF88345C143BCBC4B76850F1CED48F74A452C1DCBBD23D3188
                                          SHA-512:FA6C3194FF9B159089111762B9893F459514840C8434E57FB05AF3D8D89C94AA255D9DF11928E6C65084978E5F30F7066E795160E17B37F8A26AC7D9FABAE59B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......f...".k.".k.".k.+...(.k.p.n.7.k.p.o.*.k.p.h.!.k.p.j.&.k.i.j. .k..o.*.k..j.$.k..j.%.k.".j..k..o. .k..n.+.k..k.#.k...#.k..i.#.k.Rich".k.........PE..d...6..g.........." .....d...B...... R....................................................`..........................................9.......9..................d...............<...P.......................p...(...p................................................text...[b.......d.................. ..`.rdata..<............h..............@..@.data...............................@....pdata..d...........................@..@.qtmetadp...........................@..P.rsrc...............................@..@.reloc..<...........................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-57LVB.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):284672
                                          Entropy (8bit):6.16807195752963
                                          Encrypted:false
                                          SSDEEP:6144:VwYd2oduCK61HFSx6i61ySbDXUqXQ2rtmhaPqjaGx5OYWZmA3dtlsCK8Ity5Sqzp:e3o3HFSx6x
                                          MD5:12526E76341EF89259D59CAEC18045D1
                                          SHA1:349A87B9D215182D333ED5C775E20D8411F8CDBF
                                          SHA-256:73716620D787107D48AD76A589EB05BD425E47A4BC0ED9C7B5043811EB624FAF
                                          SHA-512:607B695650C68E3FE92CD7BF4767259F1746187D062EC77C1D8ADAC040B9E5ACDEBE4CC3523B42535655DC35BC9269212E7D2747827BF4F7FB276459CB4BD321
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................)..................................S......p.........'..p......p......p.E....p......Rich...........PE..d...<..g.........." .........z............................................................`..........................................X..|...|X..@............`..x...................@.......................`...(...`................................................text...{........................... ..`.rdata...6.......8..................@..@.data........@......................@....pdata..x....`......................@..@.qtmetad.............B..............@..P.rsrc................D..............@..@.reloc...............F..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-5BU1G.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):762880
                                          Entropy (8bit):6.830912301583025
                                          Encrypted:false
                                          SSDEEP:12288:zf1o+/qdWYlYw5Ne23xko1w4G9AtsZqoq+qrqoq+q+q+qYqIqGq+qJEWKRQ0zrW9:zfK+iYO3sp6sPEW+QCWYCGf
                                          MD5:19CA96363DED6BC2860E5B75E047A4FB
                                          SHA1:0695FE635DDD05AA03BCF5C8FFB10FEA2883B210
                                          SHA-256:896D546BFB5F1DAD137149AE1E79A5581C1E17DA54C971B28958BD0960F7FA1E
                                          SHA-512:03EA10E313BA0B6D82B9549B2D8E65A3B7BBF1F412C150C514021EDC70B8D3054AC65A2EEF4D1F8F3401E875C83AB496100A804AC1262B3AF60DBB0D23E78428
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........ol...?...?...?..?...?...>...?...>...?...>...?...>...?...>...?=..>...?...>...?...?...?...>...?...>...?...?...?...>...?Rich...?........PE..d...K..g.........." ................$.....................................................`.............................................|...<....................-..................0.......................P...(...P....................%...........................text............................... ..`.rdata..r...........................@..@.data............|..................@....pdata...-...........X..............@..@.qtmetad,...........................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-5LEMA.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):462848
                                          Entropy (8bit):6.1517197219214514
                                          Encrypted:false
                                          SSDEEP:6144:sTrCuTSmCCDS+jV3nPAzNONxLAoaLPWYnzN3WnK3VoLw2iPuUjikVOYWZXUqX8Iq:xESfCDS+jV3sNOb9YzNe8
                                          MD5:CBC528A4688F05F18F323BB4A025F5FC
                                          SHA1:1EC1D2FCC448A7651B8B46C42CC3E99D66D89B6C
                                          SHA-256:9587E5617D41BDECE926A7F509DA4E4CC59D100BC6996D0053B50BC8445C4312
                                          SHA-512:D9F203DF2F268FC83588ADD08C578663A7517012009D43FA871CB08664C366CD023D92EB2A38F9379AC7929C3F44B3FA61BFEE73DFE1DFA0CE20FEDEF30BCD08
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6..rr..!r..!r..!{..!|..! .. z..! .. q..! .. k..! .. v..!9.. p..!. t..!.. {..!r..!...!.. ...!.. s..!.d!s..!.. s..!Richr..!................PE..d...W..g.........." .........v......Ho.......................................P............`.........................................p...x......T.... .......................0..x..............................(.......................*...........................text...H........................... ..`.rdata..l...........................@..@.data...`...........................@....pdata..............................@..@.qtmetad............................@..P.rsrc........ ......................@..@.reloc..x....0......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-5SLJ3.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):420864
                                          Entropy (8bit):7.017370754405623
                                          Encrypted:false
                                          SSDEEP:6144:2Aa3aJFF+Po+4qnyRil/VcrSv2oGjDLXabtl+qTG1OmRwMMkuIO1ryswPijPuUKw:7PLFfqnuTo2D3AG14FktOh
                                          MD5:B623F80A4A8EA781520D28E372871E6C
                                          SHA1:E4BCC0D38771C80AD74515F713030C3E4A3FAEE4
                                          SHA-256:B47DA49ACB85BC7444F0B541B2C291711E2ABC3F4D6C3C7BFA40E160F0FB1C7E
                                          SHA-512:F41E1D6A78D1B94888D2A9D239220C39FB3F33F43EA484BB863D4AEEEE047FE61C35716012C0265BBD5F8D7A25E37DFC11870B333D958F6E637DF25D87303258
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...rj.rj.rj.{.F.xj. ..dj. ..zj. ..pj. ..vj.9..pj....zj....uj.rj..i....zj....sj...*.sj....sj.Richrj.........PE..d...P..g.........." ................x.....................................................`..............................................R..Pj..@............p..................................................(....................................................text............................... ..`.rdata...r.......t..................@..@.data...h....P.......8..............@....pdata.......p.......H..............@..@.qtmetad.............X..............@..P.rsrc................\..............@..@.reloc...............^..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-68KA0.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):172032
                                          Entropy (8bit):5.89641363334421
                                          Encrypted:false
                                          SSDEEP:3072:b6Cb6EUwSEadKUEFUIxigkChM0GpyUw8lgkswXpqwliOXUqXrjnmtUPGwMfci:56sZadKfUF5yM0SyvI5swXpqwliOXUqX
                                          MD5:D2CC1707FBAC27F315C2B3F6327E140F
                                          SHA1:ED511A987A2F7CC3D356DC9DC79570F6FA2F58C2
                                          SHA-256:A800B6DA1590B479D87C8438CCAD330B225A28D68DD79B9F9CF6D92D3AB56344
                                          SHA-512:50C0BCCD027E5422305178A4E65790B4F25C55402E5527FA96C4BF01283E11D422A3BB36B9E071B2A715ADDE6DDF27698857C13E7379C61C54F090A908B104BD
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.P./.>./.>./.>.&...%.>.}.;.:.>.}.:.'.>.}.=.-.>.}.?.+.>.d.?.-.>.4...-.>...?.).>...?.(.>./.?..>...;.(.>...>...>.......>...<...>.Rich/.>.........PE..d...`..g.........." ......................................................................`.........................................`...|.......,....................................e.......................f..(....e...............................................text............................... ..`.rdata...m.......n..................@..@.data................p..............@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-6J6J7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):316928
                                          Entropy (8bit):6.223565644541473
                                          Encrypted:false
                                          SSDEEP:3072:zdxdtadpwya3eLy5j3OtVVVmMaW+2FdEXwxCJA1jUJ18oxzD/2a7IXACAX2r:5YnMgMSz18umXwxssW18o9bE9AX2r
                                          MD5:6282EFE661D435A3D98DB5C7FD214B0E
                                          SHA1:47BEC89BBEC8D729F8E663328B4D12243A864411
                                          SHA-256:7389CE534D96406574370A2C0D3439D1F39A2D8B158E9AC60C8AC643A15433BF
                                          SHA-512:6A624FE9D2E900CB3665DC8DF51AFF111B42F5E60A4DF15C5CD26D7792538508D6C1193C3516E4A3593E5576423DC9C81FDF76E0F2F1AECE79A571800FAB36E2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$....................G...................................4.....5........t..4.....4.....4.....4.+....4.....Rich...................PE..d...x..g.........." ................t........................................ ............`..........................................$.......%...................+..............P...`...........................(.................... ..0............................text............................... ..`.rdata...m... ...n..................@..@.data...P%...........|..............@....pdata...+.......,..................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..P...........................@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-6N5GV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):446464
                                          Entropy (8bit):6.568690443444106
                                          Encrypted:false
                                          SSDEEP:6144:nO9LDFnmdy+DvALZLBo2os4hzkcjxa1jW1o6cjSNxGQTgaOnPjS3oSSPUa+VXqXt:O9dmdy+DoLC9hzkctUjW1oVjSNOnOY
                                          MD5:5209609C3F800F5B30BF5F3BD7091E89
                                          SHA1:62DBACC264BA0DD9AE839767FE2323C693807D7D
                                          SHA-256:A3D3031B665E5C1E2A8992826A57297E00DD3B7EA7EB559084E8BA204ACC15FB
                                          SHA-512:05EFB8E07D73EBD36E655A1D02C152758ABDBD43D0F65553BC71BC3B2D252843666C94A9CB69F4510FD21FB375254A24320D7C644E3BBF0706E7941628A241C9
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........=...n...n...n...n...n..o...n..o...n..o...n..o...n..o...n..o...n..o...n...nw..n0.o...n..o...n..o...n..o...n..}n...n..o...nRich...n........PE..d...)..g.........." .....J...........+....................................... ............`.........................................P...|.......@...............`*..............x....Q.......................R..(....Q...............`...............................text....H.......J.................. ..`.rdata.......`... ...N..............@..@.data...8"...........n..............@....pdata..`*.......,..................@..@.qtmetadQ...........................@..P_RDATA..P...........................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-8FUGF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):128512
                                          Entropy (8bit):5.681739065236602
                                          Encrypted:false
                                          SSDEEP:3072:WN4ouHYzbyr5a1tAIyrSvfHwUKiVYWXUqXwrTt34thaPtaGbBvIiH/:sz+Yzia3vfHwUKiVYWXUqXwrTt34thaJ
                                          MD5:C56F2BC406754EE7FCC98F207DF7E6A4
                                          SHA1:6BD56A580AAE0F5268F2E47205201D3E980B9425
                                          SHA-256:8F3B7191F8E63451C97E050197C95797823041318AB632B4890563A8AAD25C4C
                                          SHA-512:10B3369D8CCE4BDEBAC0F1194924E936A8B834B68432D55B4ABDA4AA85E6D4D9DB756823115B6C2E37B02F87FDFFC9CE717F6B977623325BABC5FD14AA0BC082
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............o..o..o......o..j..o..k..o..l...o..n..o..n...o.D.n..o.g.n..o..n.2.o.g.j..o.g.o..o.g...o.g.m..o.Rich.o.........................PE..d...&..g.........." .........t.......~.......................................P............`..........................................<......T=.......0.......................@..................................(....................................................text...K........................... ..`.rdata..hD.......F..................@..@.data...............................@....pdata..............................@..@.qtmetad>.... ......................@..P.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-9GD5R.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):7794688
                                          Entropy (8bit):6.463547042992633
                                          Encrypted:false
                                          SSDEEP:49152:jto9kTHzq7czDlqm32WKMI57d6H+6yBg6CZNjHBEo/Uo9JKmjQwqZX+6+Yj7rne7:5ooDlq1BsMJ+ovWh4rdOqIkMVUaT7
                                          MD5:F76AB453BFBE4065FA95905950765C21
                                          SHA1:D6C512637C868ED73ADA1C38FEC3973065DF82F7
                                          SHA-256:646DC8D582D9A93B5FBC62C5212F698463EBF50537B2FEB7928EA1E560DBF34D
                                          SHA-512:4C6FF309B4B49927FD18387FAAABDD3C645743B8BB093963DB33E3971F4A366E386E90D29DE0BEFAABE15345D2D723FC625A23BBFAB9A13CD42EF53170DDE45B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......M.KS..%...%...%......%..8....%.[.!...%.[.&...%.[. ...%.[.$...%.B.$...%...$...%...!./.%... ...%...$...%...$...%... ...%...%...%.......%...'...%.Rich..%.........PE..d...8..g.........." .....vU...!.....\.P......................................pw...........`.........................................psp.|....sp.......w......`s.\............ w..K..0.b.....................P.b.(...P.b...............U.8............................text....tU......vU................. ..`.rdata..$w....U..x...zU.............@..@.data....G....q.......p.............@....pdata..\....`s.......s.............@..@.qtmetadE.....w.......v.............@..P.rsrc.........w.......v.............@..@.reloc...K... w..L....v.............@..B........................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-9T5UJ.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):256000
                                          Entropy (8bit):6.02324937299118
                                          Encrypted:false
                                          SSDEEP:6144:ub3DYs9jX5c8AyhnZONYRfSWDOYWZXUqXQ2r1At3d4haPqjaGQzJAS:ub3DYkJNZOCl
                                          MD5:3B591115D780BFE4451617ADF78ED6C0
                                          SHA1:C02FA4AAADD880BD67BB4F4ECA3F7D14B1BB6EB1
                                          SHA-256:42C6CA961FCF7BA295C6E5B557791CB31A7BEEEAEEB93537B7305D7D88822F61
                                          SHA-512:B140C1E6AFEFB0730EC260E5A14CABCF2B12CBCE93EB9D94C2652DE275DC1BF0F3C9277C83B8AB04C573C1F0278C859DD7AC5B3491DBDEA0067080173B42D798
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d#.Y.M.Y.M.Y.M.P}.U.M..mH.L.M..mI.Q.M..mN.Z.M..mL.].M..}L.[.M..uL._.M..lL.P.M.Y.L...M..lH.W.M..lM.X.M..l..X.M..lO.X.M.RichY.M.........PE..d...v..g.........." .........4......X........................................0............`.................................................$...T............................ .......i.......................j..(....i...............................................text............................... ..`.rdata..............................@..@.data...(...........................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-A0I0D.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):359424
                                          Entropy (8bit):6.110250673660502
                                          Encrypted:false
                                          SSDEEP:6144:egGbJ/wl8Zg7MwSg3KkOdy/eceJc4kb6QHyHhJUDVZqXr/4tUPtGh3J8:HGbJ/xtzy2vU6m
                                          MD5:72617BB41D6B8FFBD21C41B656743F15
                                          SHA1:D0450960CA791E5089D94F28685D44FE7B66D9DA
                                          SHA-256:4E2DEEB11349005DB7C7C66AB894EF993C3B0ED77C67E9E6DCF0B733A77CA7F5
                                          SHA-512:405D97ADFB5D5DE6B7A980491CDD1C295EF13ED1145777C15EAD77661DB568E0EE253437AE6F81C2F564F5155FACA60A1271A0A9464F7282759CA640FD8E3627
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........RE4R3+gR3+gR3+g[K.g^3+g.[.fJ3+g.[/fZ3+g.[(fQ3+g.[*fV3+g.K*fP3+g.C*fT3+g.Z*fU3+gR3*gX7+g.Z.fB3+g.Z+fS3+g.Z.gS3+g.Z)fS3+gRichR3+g........PE..d...p..g.........." ................(.....................................................`..........................................M..|....M..@............p..4..............................................(........................ ...........................text............................... ..`.rdata...e.......f..................@..@.data...0%...@.......*..............@....pdata..4....p.......@..............@..@.qtmetad.............^..............@..P.rsrc................`..............@..@.reloc...............b..............@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-AG6MA.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):40960
                                          Entropy (8bit):5.56216524552819
                                          Encrypted:false
                                          SSDEEP:768:NB//tTSg1XQ9BbTYqIb10G7uBVtpnoc+G9/qxyVl2B6Zq4AYUXRL:NB//Bhg9tYqIaPupxyVl2B6ZqLX
                                          MD5:D0035DFB056E4D41C22ADBC73A0610F5
                                          SHA1:C9BBA2F02EA2E19711DDB1694FB23D1783F90666
                                          SHA-256:A854FE42BD3DF262308C0AA558D9C4BD72E7A02503CE97A32B21584997640271
                                          SHA-512:80D89E6B5B45397EFA8CAD1C59BCB37B3527024334E086C9C97717ED8BB18FDAD055CEC05A393DAD1E903ED57F626892A8AD0EB2BA4833394138DB588F8D3A20
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5..T...T...T...,8..T..<...T..<...T..<...T..<...T..,...T..k$...T..H=...T...T..tT..H=...T..H=...T..H=T..T..H=...T..Rich.T..................PE..d......g.........." .....@...^.......A....................................................`..........................................~..|...\...................d............... ....f.......................g..(....f...............P...............................text....?.......@.................. ..`.rdata...J...P...L...D..............@..@.data...X...........................@....pdata..d...........................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc.. ...........................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-BSE53.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):92672
                                          Entropy (8bit):5.699025601635425
                                          Encrypted:false
                                          SSDEEP:768:ZH/4VAVjyv3/I+5sjlfsUbsqA4HGNtYAG7RehRRldqKqhaaShhNt42L2XI0:54BoSstswsb4HM9BQbohh/FL2XI0
                                          MD5:7E8B270B0F5D6FAC1C08287A2311F182
                                          SHA1:922F7BC5D619A87DE976FD245C92807B0D9D25E1
                                          SHA-256:8DEBB1DE532E8F19910A5171BC17A4F61D95F64EA218A0BA06428F629819989A
                                          SHA-512:39083C9BA8003B1E2D0E96BE80468D71D0CAEF02D8A528F83A59BEDA646BDC8AB73520AE66AE6BE6E4727F2C90D18D7833812946EF512410F4B299D738B40695
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................).........................................4......[.........^..4......4......4.E....4......Rich...................PE..d...O..g.........." .....z..........Hs....................................................`.................................................t...,............p..L...................0.......................P...(...P................................................text...;y.......z.................. ..`.rdata...............~..............@..@.data........`.......N..............@....pdata..L....p.......V..............@..@.qtmetad.............`..............@..P.rsrc................b..............@..@.reloc...............d..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-DBST9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):179712
                                          Entropy (8bit):5.852434135668565
                                          Encrypted:false
                                          SSDEEP:3072:4hxnD6aRnrTiNTOPIGx2WhkaFzRRfxXUfBG2JyKD2ZEeyaYstPuUSikVYWXUqX8j:u7yNO2WVzRRfVUfBjkKyZdyaYstPuUSY
                                          MD5:66A1CE3D888299DD5BE35A198D3F4193
                                          SHA1:A50F711813243687966E82C8074199EE6D0CA5FA
                                          SHA-256:3992F7A2AEEEC2B0F980945CA7E234CF9B5A3E3DBC22175B7CA7E32F33EA15F6
                                          SHA-512:54333662EB185F693AEEA7B75F5A1AEE101AD863E7DB98AD1997DB5065388560C73E772B2855338594BE37F0704046F39A348A83F8C0586DD8BEC70D7A51DAE7
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h.i.,..H,..H,..H%..H$..H~..I8..H~..I$..H~..I...H~..I(..Hg..I...H...I*..H...I%..H,..H...H...I*..H...I-..H...H-..H...I-..HRich,..H........PE..d...u..g.........." ................ .....................................................`.........................................`...........,............... ...............................................(....................................................text............................... ..`.rdata..............................@..@.data...............................@....pdata.. ...........................@..@.qtmetad@...........................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-E1RT6.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):176640
                                          Entropy (8bit):6.210464486399451
                                          Encrypted:false
                                          SSDEEP:3072:CHqi5QS9LZnjXtSUYSI5mvZMmxsIBEoE0UlQwSpPUB+VYVUqK2rntmrUgjaGAKvV:CHqi5105mhMmWIBrzpPUB+VYVUqK2rni
                                          MD5:B5B35AEC6CDFAAD5B25BC2FEFFB65FB0
                                          SHA1:E6BE61074D3DCC11F53FC81B0FB533832E6481D8
                                          SHA-256:A7A4E133D4AACD25A8E135676A15453C25B924A99356BCB4118CAFAA22F66066
                                          SHA-512:9168DF919D02C5DDF324966101A6D8BABC77CD34B4888E607B425E705DB9557E156A4BAD16DFD3C726A3FD370AE263BA8F8A52BE62A9BD765B8EB3C3F7FD6407
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?...^b..^b..^b..&..^b..6g..^b..6f..^b..6a..^b..6c..^b..&c..^b.v.c..^b.U7c..^b..^c.._b.U7g..^b.U7b..^b.U7...^b.U7`..^b.Rich.^b.........................PE..d...8..g.........." .....(..........."....................................................`.........................................`9.......9..................................t...@.......................`...(...`................@..8............................text...k'.......(.................. ..`.rdata...[...@...\...,..............@..@.data...(...........................@....pdata..............................@..@.qtmetade...........................@..P.rsrc...............................@..@.reloc..t...........................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-EFKJI.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):316416
                                          Entropy (8bit):6.1927679608514135
                                          Encrypted:false
                                          SSDEEP:6144:/k2B70hUcIBUDc1NSkJjZsQzRUbgSQDXUqK55mUgjGqj4YKp:/k2BC6BUDc1wAzOQ
                                          MD5:D0917D3646F86D8DCDFE709547CDD7DA
                                          SHA1:BE36123C1DD825A91245B13DCFF2BC6A9914CA95
                                          SHA-256:1774ECAC1EBA3F56E74A0815D62763927DCE7EB0C1657D1275A277AAED351347
                                          SHA-512:642D453CB10398BEEE7B2746E32BFE6FDB650E85BE36C49127DDEF27C1BA47C07006DFE1F0A39A3F5F9F7552CB69133F3D47AA07D502C6DB8D91F1FF43496D84
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S{{..............b......Er......Er......Er......Er......\b......s......s......j......s..............s......s......s......s......Rich............PE..d......g.........." ................`........................................ ............`.........................................0...|........................'...................V.......................W..(....V..................H............................text............................... ..`.rdata..............................@..@.data...............................@....pdata...'.......(..................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-FF747.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):108032
                                          Entropy (8bit):5.862335076596899
                                          Encrypted:false
                                          SSDEEP:3072:vFXiKQQSP+pAK0V1bmB05idIzV/SYDYWZXUqK5Gt3d4hagjGjs898jm:vFbZSjK0VU653J/SYDYWZXUqK5Gt3d4Q
                                          MD5:8A6C6D702D6BBA4C871F3DD53FA2798A
                                          SHA1:024A0AB1EB863D73FEE204A3586972908D650C93
                                          SHA-256:C996075B8E024900DC234617FDEE684A70B6485B30A475912DAFCC89762C14FC
                                          SHA-512:3B1AD8DB67D95FF70B40B76542BEA099861E84E94028633661227E5AE89E0B37244851714EEEA9B3CA67F89649A6B59108B02C1FF5A372A935D2D97DDEA33A2F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.E..............V.....V.......V.......V.......V...............O.........................................:.............Rich............................PE..d.../..g.........." .....................................................................`.........................................06..x....6..T...................................p...........................(.......................(............................text............................... ..`.rdata..&...........................@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-I0DFD.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):176640
                                          Entropy (8bit):5.979004104906084
                                          Encrypted:false
                                          SSDEEP:3072:yDezrKCWiK4KUCT58JUpGK3ETnvMdnRSxDOkZXqi0n3d4Uwtv0QZdn1d5BKJ7:ygK4BC8JmGKU7MdRSxDOkZXqi0n3d4UN
                                          MD5:CAE0381FA5B340F4D994D60934FE517F
                                          SHA1:5B8DE02471B39CCC1159698A7029EBC918375F26
                                          SHA-256:9B8083EC253D0BE27D15BCF1FB9E8FFA2137C99E6608BB23D135FB082B03353A
                                          SHA-512:91EA95A3840723D3BBDFA062C7BC987E0EEE258A919119E6F901C6C1F2041D45815CAE4D1F682149FD05B94A7889E8FCA302F14BABCAB1BB51A32262DA915C5F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........GC..C..C..J...K......V......K......A......G......A.....E....D..C..\....J....B...}.B....B..RichC..........PE..d...=..g.........." ......................................................................`.....................................................................................(... .......................@...(...@................ ...............................text...;........................... ..`.rdata..Fu... ...v..................@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..(...........................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-IB676.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):101376
                                          Entropy (8bit):5.785738063158019
                                          Encrypted:false
                                          SSDEEP:1536:xSYxmiiU4t+kpIJm2Ux6d6IjPI2kovWXv7liuKovWXvho6Ux:QMmiy+kCm2Ux6Ntg7lijvho6Ux
                                          MD5:797B066E161D1344E0C3E2903FE5F46B
                                          SHA1:725466588FA7D46A20108D66823FF8E36A967EAE
                                          SHA-256:34D2B492F6E636564FF2DB0C6CB26EB4BFD533E8F9D61A11B5B7E22E0A6D73A0
                                          SHA-512:467729520876F34FF3953BEDA3BA52E0AAB067A0150B1E956291EFF5EAFC6D4EFD1842482ADFA2C2FCDD4133799462A6173299987F39308AF36C78C3D9E39480
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........8.y.Yl*.Yl*.Yl*.!.*.Yl*.1i+.Yl*.1h+.Yl*.1o+.Yl*.1m+.Yl*.!m+.Yl*g)m+.Yl*D0m+.Yl*.Ym*.Xl*D0i+.Yl*D0l+.Yl*D0.*.Yl*D0n+.Yl*Rich.Yl*........................PE..d...>..g.........." ......................................................................`.................................................p...................................................................(.......................x............................text...[........................... ..`.rdata..............................@..@.data................r..............@....pdata...............z..............@..@.qtmetadP...........................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-IC39K.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):78848
                                          Entropy (8bit):5.706468056806483
                                          Encrypted:false
                                          SSDEEP:1536:9k4/Mci6r3c8rqCn4ECmDaIwZMf7SHQQg:9Wir36CnDCmDtes7o5g
                                          MD5:2A1AF3679C02070A52A13B75B548310F
                                          SHA1:912BBFEBABAEFDB581CD88D2695AC5B8EA9A08C0
                                          SHA-256:34CE6BD3C5981C8C6E0EA329F30473E10511B01A5C901E70820CC0684F90B2DD
                                          SHA-512:C3490BB968E6B0C4FFC4458F7AD4AC0C67610C87C868A9BE436EBED641BAD820DB8297A9F92FA2244FDE3B5B50C4E409DD292FF2B792518AD7BD9657536F82D0
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.....o...o...o.......o.H.j...o.H.k...o.H.l...o.H.n...o.Q.n...o...n...o...n...o...n.I.o...j...o...o...o.......o...m...o.Rich..o.................PE..d...&..g.........." .................y....................................................`.........................................P...........,....p.......P..................8...@.......................`...(...`................................................text...{........................... ..`.rdata..D...........................@..@.data........@......................@....pdata.......P......."..............@..@.qtmetad]....`.......,..............@..P.rsrc........p......................@..@.reloc..8............0..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-JJO2V.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2413568
                                          Entropy (8bit):5.788428616549328
                                          Encrypted:false
                                          SSDEEP:49152:jvh3MIAWPmR2DXCVLDzh5mJ8dIfialhjj/:jx+WPCVqfvjT
                                          MD5:6FCB8364953136BD82083C3D83811BA1
                                          SHA1:ABBC9B532F13CF6EF25FAC46F25E534BD294171C
                                          SHA-256:5D1595E5041B3773B3755D16E1AC291F04E99EE429479398410586434450C320
                                          SHA-512:391C676EEFBF7E4271955E0C7BCAB0F0FA0BB569E92D8BEAC6F8F538F9B43EC2FA19C72FE5DDFD4FC874EB29170DFC2640F22C5B43DBB88B3F8D93233F9F55B5
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........GY.s)..s)..s)......s).P....s)...,..s)...-..s)...*..s)...(..s)...(..s).u.,..r).H.(..s).k.(..s)..s(..q).k. ..s).k.,..s).k.)..s).k....s).k.+..s).Rich.s).........................PE..d...1..g.........." ........................................................ %...........`..........................................f .|...\g .......$.......#...............$..;..............................(....................................................text............................... ..`.rdata..............................@..@.data.........!....... .............@....pdata........#.......#.............@..@.qtmetadr.....$.......$.............@..P.rsrc.........$.......$.............@..@.reloc...;....$..<....$.............@..B........................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-JJSCB.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):331776
                                          Entropy (8bit):6.093352707192958
                                          Encrypted:false
                                          SSDEEP:6144:rFQnkwlKk8uChUCw63q16OAVsLaCXPUy+VOYWZXUqX8SI2rrAt3d4hlUPytQ54GY:ekw0k8dUZas2CrLh
                                          MD5:838D1AEFC3FDBC6E138D6513B714FE7B
                                          SHA1:5B4C6818BFE34684138757E1690CAD5A730A36CE
                                          SHA-256:E242F8C764A015DEA36CCA2A183A431A53680BD5E5FC4F24F9D878909E90A61D
                                          SHA-512:66717B006A31FE9D8001F0A1AFCE4961C7D8DED050CC9C67C7EBDCF4B85902F10D49B5E1825547049224A63A0F6991C97EDDA3566E82C45476E1C20D51A6789C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................................;...................(...................b.............Rich....................PE..d...k..g.........." .....r..........@[.......................................`............`.............................................|...L...@....@..........|............P.......=.......................>..(....=...................%...........................text....p.......r.................. ..`.rdata...\.......^...v..............@..@.data...............................@....pdata..|...........................@..@.qtmetad.....0......................@..P.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-K8P80.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):175104
                                          Entropy (8bit):6.11735671904995
                                          Encrypted:false
                                          SSDEEP:3072:9Y0G2KFUjBfARsbW/OrqDwkqT2QuwU6iVOYWXUqKK5tAt34tUgj5Eg8v0/Vb:uf2eABnbIOrqbqTDuwU6iVOYWXUqKK5X
                                          MD5:8EB327D1029B136E4D7A71095022D062
                                          SHA1:B5C1874A4E23EE1FFC9EAAF272D4627EAD2609A7
                                          SHA-256:C426A8A164ABFFD2569811AD6E808DD575ABE10E472C68EDE69E9B6D6946D638
                                          SHA-512:29ED58A53A60CEF2AFC9B5824AB7FE2E47EE78C2F59A67858FC8ACB82D1409C622CDC7D7537AC32B7807D6C43971E95DD75A37E30CD381A5AB35ADE67C48DC8A
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................................3.........3.....3.....3.y...3.....Rich...........PE..d...-..g.........." ................8.....................................................`.............................................x...(...,..............................................................(.......................p............................text............................... ..`.rdata.............................@..@.data...............................@....pdata..............................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-LVH07.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):523776
                                          Entropy (8bit):6.389601028187329
                                          Encrypted:false
                                          SSDEEP:6144:5bWXCihAWw8nKsZjlcsJULzI6d7W77NZ3VW02d19advWYo2HdDvd2aZLSPU6+VY5:56CiejqlcsJUYI7W77vMdd1iBdtm
                                          MD5:8F3A2705AD8A5E19C224B36E22BD6DB8
                                          SHA1:EBCD0FBF3009A8182E8DAB031F9F866B2852D06B
                                          SHA-256:7896DC19C928DFA9CDF1955696D144C555B6AACB944EBA62DC0870D9A97957EA
                                          SHA-512:FB751BCB18121A98D6BB175719E463CEBA158B981FDDEDAC197C99B873B2FE2FCC9E5FC9E1D08897FCAFA3C069705E9431366FA2C544476EA4274250920B34DE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................).........................................>............>......>......>.E....>......Rich...........PE..d...=..g.........." .........................................................`............`.........................................P..........@....0..........l*...........@..(...............................(.................... ...............................text............................... ..`.rdata....... ......................@..@.data...H....@.......&..............@....pdata..l*.......,..................@..@.qtmetad..... ......................@..P.rsrc........0......................@..@.reloc..(....@......................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-M4ACU.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2327552
                                          Entropy (8bit):6.176241265246855
                                          Encrypted:false
                                          SSDEEP:24576:O9XXVP3T68F+qFOeFHHnCezLuDOVPWoMTHNRxoeGMQTemhlYglQ6/:O55p9FHHChuWoMTtRxoeG7TemhlYgl
                                          MD5:BDFC79FCB07C834E2DA85800A1DED6E8
                                          SHA1:CC10974040DF9453D3C2E1F63CFD0353B334547C
                                          SHA-256:15B657DCC6FCA6FADD1B1BC578F6AFCC661E4B5C5B6EC932CB830D954DD8C6CF
                                          SHA-512:D9A309458508EC95D5D17DA6028516EB44395757EBF2E0F232C454F3DFC5189463CD874F7452147C3AB2542D305F4D6417ADD600C05864150786BA8B6484C35D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........\.F.=...=...=...E...=...U...=...U...=...U...=...U...=...E...=...M...=...T...=...=...?...T...=...T...=...T...=...T...=...T|..=...T...=..Rich.=..........................PE..d...d..g.........." ..........................................................#...........`.........................................0I .t....I .T.....#.......".t.............#.X4...L..8....................N..(....M...............................................text............................... ..`.rdata.."...........................@..@.data...p..... ....... .............@....pdata..t....."......\".............@..@.qtmetad9.....#......H#.............@..P.rsrc.........#......L#.............@..@.reloc..X4....#..6...N#.............@..B................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-NOEVB.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):667136
                                          Entropy (8bit):6.34619241274607
                                          Encrypted:false
                                          SSDEEP:12288:JN/JS7wk02GaPVBbhBuMfhar4oKEis9lSiHyu:H/JYbtfhar4o4s9N
                                          MD5:5B08EE82E421440576CC76FA55C815B0
                                          SHA1:9CB7BB486FD098E4D727820662B3247A1CDB2681
                                          SHA-256:04C5A5E11C5679B72AC7901EF3850BFEA96A37AA85CE4DE82EAF3D04F41A1417
                                          SHA-512:F954E7A36F2B3274DBE8123C96B344DDD770F7DD433DA4B5C0ACAC0ECA14ADDC08E2AD810FD7D58D03169D131B558FD35259B0E4045C30410EC25A4B980B5B7B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.[.v.5Iv.5Iv.5I...Iz.5I$.1H~.5I$.6Hs.5I$.0Hl.5I$.4Hr.5I=.4Ht.5I..4Hp.5I..4Hq.5Iv.4I*.5I..0H0.5I..5Hw.5I...Iw.5I..7Hw.5IRichv.5I................PE..d.....1g.........." ......................................................................`.........................................`...........@....`...........I...........p..t...............................(....................0..0............................text...[........................... ..`.rdata...[...0...\... ..............@..@.data...@W.......P...|..............@....pdata...I.......J..................@..@.qtmetad.....@......................@..P_RDATA..0....P......................@..@.rsrc........`......................@..@.reloc..t....p......................@..B................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-O0IBB.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):513536
                                          Entropy (8bit):6.228865745475452
                                          Encrypted:false
                                          SSDEEP:6144:ICUdIydi6hckUW25QqnOELi4e23dyjk7hOgl7OGi18ttFHP6gj11FNB+qiwrOhal:IXi6EW25QoOELwgdOvgHygjrmm
                                          MD5:399F8B310DBC01696C3DDB6CE788C564
                                          SHA1:82FB9A77B710367DA8D2154A946B0BCA92369B93
                                          SHA-256:B389F5986484FB17F814B4B78211BE98AAEBDF95A803BA9A63ED21BD4BC7A75B
                                          SHA-512:F4A355EA7E115C7C8B7FBAF37195ABC7D995CAC439924C048BA9FE2D925D191379462072D68C9329B9D8344061E16C6BD1101573EFA3869B87313245BC608B24
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.e.a...a...a...h...k...3...v...3...i...3...b...3...e...*...c......g......h...a..........z......`......`......`...Richa...........PE..d......g.........." .....*...................................................@............`..........................................{..|....|..@................'............... ...~..........................(....~...............@..8%...........................text....(.......*.................. ..`.rdata..2D...@...F..................@..@.data...H#...........t..............@....pdata...'.......(..................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc... ......."..................@..B................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-P1BK8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):69120
                                          Entropy (8bit):5.054303653190612
                                          Encrypted:false
                                          SSDEEP:768:UzW7GvL0IMf8zvQwhDMJnTR2xJKsJAkXM8AFZWPxrul2B6Z4T4AEdE4TQUV:cW7DfoYwZaGKH1oPxrul2B6Z4TDg
                                          MD5:63B24FE8EECC0DF28FC94E0C01D580EE
                                          SHA1:2DC8D461F06F2E18D77978FEE91E7B340F00643C
                                          SHA-256:930785E71302472EFDC198E225775B9F8BABC863BB909161BCB683F32CAAE713
                                          SHA-512:952D326BA29BC4396799355B4218BBD8C99399B6B02C979689FC94354A10A3ADE2CBB80B04FCE6CB1616A3ED1BB1BEEDE472C4F24CB09491ECB0BF22EA2F2302
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.Zb..41..41..41..1..41M.10..41M.00..41M.70..41M.50..41T.50..41..50..41..50..41..51..41..00..41..10..41..40..41...1..41..60..41Rich..41................PE..d...;..g.........." .....P..........4R.......................................`............`.....................................................@....@....... ...............P..8...............................(....................`...............................text....O.......P.................. ..`.rdata..6....`.......T..............@..@.data...............................@....pdata....... ......................@..@.qtmetad.....0......................@..P.rsrc........@......................@..@.reloc..8....P......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-PJC7N.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1346048
                                          Entropy (8bit):6.288854706571648
                                          Encrypted:false
                                          SSDEEP:12288:t2DZIuKxxUx0vcOe2HD9u7Hi1rudaUH3S9Wo3n4UBYuN+KEA/gb4Y+:CKxxUx0vcOe2Iu1rudaUHqesX
                                          MD5:53F46FFC523CEAB1FAAC4C667EB06168
                                          SHA1:C4FEB1473E0FD2B90DF289B98DF0399646D0BA6B
                                          SHA-256:62A7E7B2C1FB8C2F1543B2C8AA3D7CB4D4CACA0FF14F9DE73E19EFED2EB745F3
                                          SHA-512:F519F5029AD0C7C656256C6E6B7C78D465B6902BF96E180C54DB8CEB55BD84B5DA5D543FD770C20FBAE1FF368780D66F9ACEA9404D88FCF77513BDFF14410FFF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P..P..P..(..P...8..P...8..P...8..P...8..P...(..P... ..P..%9..P..P.."S..%9..P..%9..P..%9n.P..%9..P..Rich.P..................PE..d...8..g.........." ................D3....................................................`......................................... ...........@....P..........P|...........`...*..............................(....................................................text............................... ..`.rdata..............................@..@.data....%.......b...x..............@....pdata..P|.......~..................@..@.qtmetadt....@.......X..............@..P.rsrc........P.......\..............@..@.reloc...*...`...,...^..............@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-PLAJK.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):100864
                                          Entropy (8bit):5.986356949370447
                                          Encrypted:false
                                          SSDEEP:3072:588ia+Q4c3APlOqOGkP9wciYWXq5Wt34tUEpY+:58ha+Q4gUOqfIwciYWXq5Wt34tUEpY+
                                          MD5:7A1C478B641E5E42BDB17D52DB27BCA9
                                          SHA1:DB5119B53A0CFA9FB4D2A5C4AF48891B4D1A0712
                                          SHA-256:FCDA7F52F90ECFB749C8E4289271C209DDC4685DBA3944A41894E2551DB247CB
                                          SHA-512:B5112CACD7A0A9F36B769CE496FD66CB5B1EB628424FBAAFF43E4E38EF113CFF031C11A8EA91D0709F7FB11B72982A96622E49043879E14FAABEAAD2A5A20C53
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........J...+n..+n..+n..S...+n..Ck..+n..Cj..+n..Cm..+n..Co..+n..So..+n.x[o..+n.[Bo..+n..+o..*n.[Bk..+n.[Bn..+n.[B...+n.[Bl..+n.Rich.+n.........................PE..d...j..g.........." ......................................................................`.........................................P3.......3..@...............D........................................... ...(... ................................................text............................... ..`.rdata..L...........................@..@.data................l..............@....pdata..D............r..............@..@.qtmetado............~..............@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-PV2B0.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):1361920
                                          Entropy (8bit):6.441693455500275
                                          Encrypted:false
                                          SSDEEP:24576:6YpS27MkXILSoe6WBg2GXfc9pFB9pF/WOZNVJmC:6EMk4pe6WBg2Gvc9pFB9pF/WOZhmC
                                          MD5:2B9053038D000CC42E3A1B8B8862C971
                                          SHA1:97C3274374A640F0E79F93558C8BC6615F5E5568
                                          SHA-256:3A1A9BC4F3C77E863B864BDB9749B01664EE2A2E121BBEB98E982F3447F6A721
                                          SHA-512:0DD811012295FE9EFBD3F7BECBEEB59D395049ADD9D2A175B080AF7E479D52CF8D071CEE5752E6105C115C7D25C825FFF127E66EF5607BB9D1DEF8F71E05F6EF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........NX+./6x./6x./6x.W.x./6x.G2y./6x.G5y./6x.G3y./6x.G7y./6x.W7y./6x.Y.x./6x$_7y./6x.F7y./6x./7x.,6x.F3y./6x.F6y./6x.F.x./6x.F4y./6xRich./6x........PE..d...x..g.........." .........J......X........................................ ............`..........................................w......Dx..h............`..\...................p...........................(.......................p............................text............................... ..`.rdata..H}.......~..................@..@.data...p0... ...*..................@....pdata..\....`......................@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-Q5HQ4.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):422912
                                          Entropy (8bit):7.425381454206718
                                          Encrypted:false
                                          SSDEEP:6144:DVkjDczIQay6XxQM1+mXzoIpGUAlvtPJ2PaluoVuH9GGH8QXAtWfwOGjHhPuXik1:DWPDvr71NxAhUPvEGH9wv
                                          MD5:FF8997D34D249D75BA175C6013E9E7F0
                                          SHA1:3257506C7279879FF2235BC7BFE0702A498BB222
                                          SHA-256:BFA3E09AE7F649A4DD99E9667CBB715E75D0C6F4E6749EDC8EF37CE489626A58
                                          SHA-512:AC29C32179F2CE9D7AAF4048475A2600A209BA199D829F57E93B686B45C17EF6D3FEFDF322FA6BEBF2243E7943EBD08A754BBD3D7B79B0AB7EA9478BC6E5438F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H.$..|J..|J..|J.....|J.^.O..|J.^.N..|J.^.I..|J.^.K..|J.G.K..|J...K..|J...K..|J..|K.6.J...O..|J...J..|J......|J...H..|J.Rich.|J.........................PE..d...j..g.........." .........r............................................................`............................................|...l...,....................................O.......................Q..(....P............... ..0............................text...;........................... ..`.rdata..p<... ...>..................@..@.data........`.......H..............@....pdata...............T..............@..@.qtmetadA............b..............@..P.rsrc................f..............@..@.reloc...............h..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-R1KQO.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):364544
                                          Entropy (8bit):6.4959469184242735
                                          Encrypted:false
                                          SSDEEP:6144:I7lFMU+DIJaUthVezRKgC294EAA/dOY3T69W4cOjdKrgb33uVq5UtmUEeXjb:IxSU+DIU6p2ZO2W90P
                                          MD5:182794EC6C7E81E6FE33AD5EFEC2CED6
                                          SHA1:6F7C46A98DC62899A5E3869F32AC403166CE4C6F
                                          SHA-256:691A4E08C5D84CFE3E6FD5CA2D8088221AF86FD27657FA5B452E2951D25DD1F1
                                          SHA-512:29BE9CA3538F88179B4AAAFB88227A8F0EBADE370758E0B312C901CBBE8BE52ABBEF13433016FB0F3888C36A9EF25970FD7E5D43E4F754B994BB84D56BB3715C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.i....................6......U.......U.......U.......U.......L...............................................................Rich............PE..d...)..g.........." .....R...b......xP....................................................`......................................... ...x.......T................+.................. .......................@...(...@................p...............................text....Q.......R.................. ..`.rdata..B....p.......V..............@..@.data....,...p.......R..............@....pdata...+.......,...X..............@..@.qtmetad............................@..P.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-RID1O.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):651264
                                          Entropy (8bit):6.753107640302034
                                          Encrypted:false
                                          SSDEEP:12288:0vZsNBg/Oe0GGsK0EvT4LpAyBxe5OWRJd2jZRXyq6:0WNBgP0GxRMm3e5OWRTq
                                          MD5:CC8768E57582CE990A60B07A7FBE9A05
                                          SHA1:96058C0CFDA8E0318E2B6617D58803CFACE0DFB2
                                          SHA-256:719D97EF2D0A68290F0EC5DF1E5A3270C0F9835C019A2D2000008367E41F2B47
                                          SHA-512:825B6EBA254DA844805DFDAEC2623132B34666584076502EDB5DA762E704B0E9C7FE693254E8A6B22A92780B88D013D65F294C33AB8F81F3D08716CD88B4E35B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@.....@...@...@......@.V.D...@.V.C...@.V.E...@.V.A...@.O.A...@...A...@...A...@...A.'.@...E...@...@...@.......@...B...@.Rich..@.................PE..d...`..g.........." .........................................................0............`..........................................*..|....+..T...............|>........... ..P...0?......................P@..(...P?..................P............................text............................... ..`.rdata..............................@..@.data...p...........................@....pdata..|>.......@..................@..@.qtmetadr...........................@..P.rsrc...............................@..@.reloc..P.... ......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-S1MM7.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):135168
                                          Entropy (8bit):6.02419104352401
                                          Encrypted:false
                                          SSDEEP:3072:+yeGccIj8jidrMGzR2GvUjgWjidUykuJHgkX8QK5yn34yqPE0i0PpJ:xetNWihzR2GsjgQiWReHgkX8QK5yn34n
                                          MD5:818363094BDA8CEDF7A3A763F9DCBFE4
                                          SHA1:EEB593167B2E3B3284A686832B2304EEFA7E50DC
                                          SHA-256:5948F61BDBD5366012C56418C21FA5665A16C295B5D492874C78D4535497E00C
                                          SHA-512:2723BE8BA0E6332966F8A13FC3E69EC89E5CF885EA4DF91C43E56E3D4ECEBEC24E0CEFFC9E051C7B0B363A5EAAEE2B3F1EB5CD99FCDB006540A1E84EFB45B0D4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5..5..5.....5...0...5...1..5...6..5...4..5...4..5.h.4..5.K.4..5..4.g.5.K.0..5.K.5..5.K...5.K.7..5.Rich.5.........................PE..d...E..g.........." .........n......T........................................p............`..........................................u..|...,v.......P.......0...............`.......5.......................6..(....5...............................................text............................... ..`.rdata...C.......D..................@..@.data...8...........................@....pdata.......0......................@..@.qtmetad.....@......................@..P.rsrc........P......................@..@.reloc.......`......................@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-THO45.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):228864
                                          Entropy (8bit):6.33558640199254
                                          Encrypted:false
                                          SSDEEP:6144:nOarQz/c6r5l6zjq3GBpt5zSTDXq5MmUjGx2/PYWZU8wR3dthwaN+rVtI:nlOv5lojZbh
                                          MD5:C4136253C43123F1AC10F8A3264105BB
                                          SHA1:56B6C6E55C5CA52E251013C43CF82C0323756AD3
                                          SHA-256:96AC8A5F9535F785D38D0E04ADC07B926316297D9BF4F31B40270E2DC103527C
                                          SHA-512:E9A590BCF344EB500AECE2EF31CAE9399715651A0357E2DAC00FCA9D0135045B0727FE76EE9DD21093D5DD050887C75928673351483ACD76753CA0F541C286E8
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o.z.<.z.<.z.<...<.z.<...=.z.<...=.z.<...=.z.<...=.z.<...=.z.<...=.z.<+..=.z.<.z.<.y.<+..=.z.<+..=.z.<+.c<.z.<+..=.z.<Rich.z.<........................PE..d...b..g.........." .....2...N.......'....................................................`.............................................|...\.......................................`6.......................7..(....6...............P..h............................text...{0.......2.................. ..`.rdata..f....P.......6..............@..@.data...H....p.......L..............@....pdata...............Z..............@..@.qtmetad|............h..............@..P.rsrc................l..............@..@.reloc...............n..............@..B................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\plugins\is-VASEO.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):418816
                                          Entropy (8bit):6.226647789656364
                                          Encrypted:false
                                          SSDEEP:6144:FK1HkSgTvS0y0PupZ3n5IudVJ3agowgieMjNhDhu7juPU7+VYWXUq5jt34rUjGbs:FKdgTvY0235DJtdjNhDhKSD
                                          MD5:C6432247B75174F587472B3721D3742F
                                          SHA1:40A4DA32B40B98C09BF9926D81FC7DE03A39E705
                                          SHA-256:B91970A166CE4E44EC392D8C4193996D9079F17A1A2135232891FFB677B0FCA6
                                          SHA-512:6073987EBAE011A4FF3D24CB8778128073AB900E43F1D322781860D26C55EFEDBCE31C6ED586573D307E8C05CD93BE366245B18B84DD7CFBA2FF2864FF0FACA0
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........db...........}......m......m......m......m......}.....#u......l......f............l......l......l......l......l.....Rich............................PE..d...q..g.........." .........z......4.....................................................`.........................................P].......]...............@...0..............<...............................(....................................................text...x........................... ..`.rdata..>...........................@..@.data... )......."..................@....pdata...0...@...2..................@..@.qtmetad.............P..............@..P.rsrc................T..............@..@.reloc..<............V..............@..B................................................................................................................................................................

                                          C:\Program Files\CloudCompare\proj.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):359936
                                          Entropy (8bit):5.682629096124071
                                          Encrypted:false
                                          SSDEEP:3072:9h1r89dfpp/Q82+udVRCEzgnvYJY3dCSU3by5ncqs0TslqX4x+F0NNUNbhEy6CU:9h10p/TMMvYJYdU36crbS4ZoRU
                                          MD5:97853DCCBC4B7F14E56D31F7B56364D6
                                          SHA1:5EB49E3441CA1A8F75B381AE1F98ADAD9A905D4D
                                          SHA-256:95A71D6D6600B0B78F8F2F200F97B539D92D59327B649DAA2D33E5F56BBC519B
                                          SHA-512:421C07DA9F53253ADEDC022C6AA9E0DA6248319B734678FC88D320C278C23B95CF969BC262BB1510B6F5710B80FAF5B1EE1CC5CD8B15FA57912F67202BE952CF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........@a..2..2..20j.2..2s5.2..2./2...2...2..2...2..2...2..2...2..2...2~..2...2..2...2..2Rich..2........................PE..d...Z..T.........." .........~......4.....................................................`.........................................P...\.......<............P...1..............\...`&..8............................i..p............................................text............................... ..`.rdata....... ......................@..@.data....l.......h..................@....pdata...7...P...8...,..............@..@.idata..Z............d..............@..@.reloc...............r..............@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\python3.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):61680
                                          Entropy (8bit):5.923759574558729
                                          Encrypted:false
                                          SSDEEP:768:ek8LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqe:ekwewnvtjnsfwGFIAB0hy
                                          MD5:A5471F05FD616B0F8E582211EA470A15
                                          SHA1:CB5F8BF048DC4FC58F80BDFD2E04570DBEF4730E
                                          SHA-256:8D5E09791B8B251676E16BDD66A7118D88B10B66AD80A87D5897FADBEFB91790
                                          SHA-512:E87D06778201615B129DCF4E8B4059399128276EB87102B5C3A64B6E92714F6B0D5BDE5DF4413CC1B66D33A77D7A3912EAA1035F73565DBFD62280D09D46ABFF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............d...d...d.|.l...d.|.d...d.|.....d.|.f...d.Rich..d.........................PE..d...|O[a.........." .....................................................................`.........................................`...`...............................................T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\python310.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):4450544
                                          Entropy (8bit):6.458222828027988
                                          Encrypted:false
                                          SSDEEP:49152:+RYsIZfypUacEN7z1NR6JYL911cdl40pPQKE30tBuQS6BqL902zJAysI6maHmbM9:YYsI5xKZ4JxsvAI6xHEMb5Hs9d
                                          MD5:384349987B60775D6FC3A6D202C3E1BD
                                          SHA1:701CB80C55F859AD4A31C53AA744A00D61E467E5
                                          SHA-256:F281C2E252ED59DD96726DBB2DE529A2B07B818E9CC3799D1FFA9883E3028ED8
                                          SHA-512:6BF3EF9F08F4FC07461B6EA8D9822568AD0A0F211E471B990F62C6713ADB7B6BE28B90F206A4EC0673B92BAE99597D1C7785381E486F6091265C7DF85FF0F9B5
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........................~..........................................3...F..3......3.|....3......Rich...........PE..d...pO[a.........." .....X#..d!.....,.........................................E......D...`...........................................<......z=.|....pD......@B.0.....C.......D..t..x.$.T.............................$.8............p#.8............................text...bW#......X#................. ..`.rdata...-...p#......\#.............@..@.data.........=.......=.............@....pdata..0....@B......6A.............@..@PyRuntim`....`D......HC.............@....rsrc........pD......LC.............@..@.reloc...t....D..v...VC.............@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\rdblib.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):10633328
                                          Entropy (8bit):6.192336081640698
                                          Encrypted:false
                                          SSDEEP:98304:H7R37atBP0I6QGPuFnIG0rXM6xYQtDgLtRtVnnsdG:d7atBP0I6QGTGeM6xYR3nsdG
                                          MD5:6235580B1B5B7BE6CC64FDA77B06AEB8
                                          SHA1:F91D2194F25522D7DF16E08595FA9F78F2E11AFC
                                          SHA-256:B171C7FECAB2B4A717B5D6157A74069F45396958F60C3F892D0431E96D6E95A1
                                          SHA-512:629EFA682B08BCF1BFE27A496DCD43F00007BC160A96C520FC71B61BF7F668F7BCC4CC08E3A02367B65710E080948697FA7D7FCD5916C48B18834A243CB23D0D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g....p...p...p..~...p...q.H.p.CH...p.....p...4.p...n.p.....p.....p.....p.Rich..p.........PE..d.....Zg.........." ......z...'......uM...........................2.................U.....@.........................................P..H7..l..d.......................p......@e.............................(.....................{. ............................text.....z.......z................. ..`.rdata........{.......z.............@..@.data...D.... ...P..................@....pdata...............N..............@..@text....q....P.....................@.. data.....A...`...B..................@..@.tls.................8..............@....rsrc................:..............@..@.reloc..F...........@..............@..B................................................................................................................................................

                                          C:\Program Files\CloudCompare\shaders\Bilateral\bilateral.frag (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2054
                                          Entropy (8bit):4.952088682948797
                                          Encrypted:false
                                          SSDEEP:24:PAJnpXNXa717fXoZqiYJXaP9qqt9bRuY4RB+Rg0+6IVklbmCVRR5GHRh8yhj9bR0:K9coY41fkDdKFjGHRh8e6Q6
                                          MD5:44861A2AC1B8401AE2E7B4A8B7481105
                                          SHA1:3153AD90FB9AC9AB9B408769334DD2294871481D
                                          SHA-256:FBB200C6CA5BF0ABBFF051ED7D7DA77E99BC1CC8BAAEC9B7919209EE812E3505
                                          SHA-512:3CA79FB9E228E38F36613BDB43E44AB7877959037D7F49108415DE1CB211E2E67E1409B2700EEBE5AB8812FA501AC682512A8A1CEBCCC580CD09B100910DA673
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Bilateral filtering..//..//..C.B. - 08/16/2008..// D.G-M. - 10/20/2010..// D.G-M. - 02/18/2014..//..//.IN:..//..s2_I.-.Image to blur..//..s2_D.-.Modulating depth image..//..//.OUT:..//..Filtered image..//..///////////////////////////////////////////////////////////////////////////////////////..//#extension GL_ARB_draw_buffers : enable....../****************************************************/..uniform.sampler2D.s2_I;..uniform.sampler2D.s2_D;..uniform.float..SX;..uniform.float..SY;..uniform.int.. NHalf;.....//.half filter size (<= 7!)..uniform float..DistCoefs[64];...//.pixel distance based damping coefs (max = 8*8)...uniform float..SigmaDepth;....// pixel depth distribution variance../****************************************************/....void main (void)..{...float.z..= texture2D(s2_D,gl_TexCoord[0].st).r;.....float.wsum.=.0.0;....// sum of all weights...vec3.csum.=

                                          C:\Program Files\CloudCompare\shaders\Bilateral\bilateral.vert (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):575
                                          Entropy (8bit):4.217582186850506
                                          Encrypted:false
                                          SSDEEP:12:PA84UwgX6axX6h7N/rbz47GEyS90aw2xst:PAJcXNXa71CU5
                                          MD5:65ABEDC7232060F38E374DAA2D464AA4
                                          SHA1:49980217E6FD91DD27EA093FCC27394C690E8974
                                          SHA-256:0F3089B49562873AA19B14783BA9095A5F0A4D0436C4678F41064E2ED9DF52C6
                                          SHA-512:F8019114DE004EE7ADA0A24D7C18FFFFF68347AA5B8316276D35E420430225BE5C018EC49CB7D0C9D94BBFFF20ABDE1589D62B868269CB1B62ED5ADAAD39A91F
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Bilateral filtering..//..//..C.B. - 08/16/2008..// D.G-M. - 10/20/2010..//..//.IN:..//..s2_I.-.Image to blur..//..s2_D.-.Modulating depth image..//..//.OUT:..//..Filtered image..//..///////////////////////////////////////////////////////////////////////////////////////..//#extension GL_EXT_gpu_shader4 : enable..//#version 110..//#extension GL_ARB_draw_buffers : enable....void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;...gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\shaders\Bilateral\is-FD029.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2054
                                          Entropy (8bit):4.952088682948797
                                          Encrypted:false
                                          SSDEEP:24:PAJnpXNXa717fXoZqiYJXaP9qqt9bRuY4RB+Rg0+6IVklbmCVRR5GHRh8yhj9bR0:K9coY41fkDdKFjGHRh8e6Q6
                                          MD5:44861A2AC1B8401AE2E7B4A8B7481105
                                          SHA1:3153AD90FB9AC9AB9B408769334DD2294871481D
                                          SHA-256:FBB200C6CA5BF0ABBFF051ED7D7DA77E99BC1CC8BAAEC9B7919209EE812E3505
                                          SHA-512:3CA79FB9E228E38F36613BDB43E44AB7877959037D7F49108415DE1CB211E2E67E1409B2700EEBE5AB8812FA501AC682512A8A1CEBCCC580CD09B100910DA673
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Bilateral filtering..//..//..C.B. - 08/16/2008..// D.G-M. - 10/20/2010..// D.G-M. - 02/18/2014..//..//.IN:..//..s2_I.-.Image to blur..//..s2_D.-.Modulating depth image..//..//.OUT:..//..Filtered image..//..///////////////////////////////////////////////////////////////////////////////////////..//#extension GL_ARB_draw_buffers : enable....../****************************************************/..uniform.sampler2D.s2_I;..uniform.sampler2D.s2_D;..uniform.float..SX;..uniform.float..SY;..uniform.int.. NHalf;.....//.half filter size (<= 7!)..uniform float..DistCoefs[64];...//.pixel distance based damping coefs (max = 8*8)...uniform float..SigmaDepth;....// pixel depth distribution variance../****************************************************/....void main (void)..{...float.z..= texture2D(s2_D,gl_TexCoord[0].st).r;.....float.wsum.=.0.0;....// sum of all weights...vec3.csum.=

                                          C:\Program Files\CloudCompare\shaders\Bilateral\is-FEVIA.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):575
                                          Entropy (8bit):4.217582186850506
                                          Encrypted:false
                                          SSDEEP:12:PA84UwgX6axX6h7N/rbz47GEyS90aw2xst:PAJcXNXa71CU5
                                          MD5:65ABEDC7232060F38E374DAA2D464AA4
                                          SHA1:49980217E6FD91DD27EA093FCC27394C690E8974
                                          SHA-256:0F3089B49562873AA19B14783BA9095A5F0A4D0436C4678F41064E2ED9DF52C6
                                          SHA-512:F8019114DE004EE7ADA0A24D7C18FFFFF68347AA5B8316276D35E420430225BE5C018EC49CB7D0C9D94BBFFF20ABDE1589D62B868269CB1B62ED5ADAAD39A91F
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Bilateral filtering..//..//..C.B. - 08/16/2008..// D.G-M. - 10/20/2010..//..//.IN:..//..s2_I.-.Image to blur..//..s2_D.-.Modulating depth image..//..//.OUT:..//..Filtered image..//..///////////////////////////////////////////////////////////////////////////////////////..//#extension GL_EXT_gpu_shader4 : enable..//#version 110..//#extension GL_ARB_draw_buffers : enable....void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;...gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\shaders\ColorRamp\color_ramp.frag (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1493
                                          Entropy (8bit):5.139795787271186
                                          Encrypted:false
                                          SSDEEP:24:lAYN3N2/SGxAW1SGzAZ9CbO9YuX/kQGzi9F/gIeomQBfNiMTZrkw2wlGhvHyV:lhNY/SCfvAZqOL/lGzi9u8muiMTZrkw1
                                          MD5:2FE6DA9614E33E9DF2B01DB6E993593C
                                          SHA1:DD08737C5E040152A17F0A286F20D19124912FF8
                                          SHA-256:DA55F4ED9DE650E3197F708DB714789F184624A24E23BB62B7CABF70EA9850CA
                                          SHA-512:6DE06B2682483F8C28E2225E5D5D17CAFA8E3477AD67A9E88BE4CE30DE7F3175EA08D5D2D6CCBD71BF5C94A4302A4193E44EE18D1350FC8AD5BECD87ED065B6C
                                          Malicious:false
                                          Reputation:low
                                          Preview:#version 110....// Color Ramp Shader (CloudCompare - 04/23/2013)....uniform float uf_minSaturation;...//minimum saturation value (between 0 and 1)..uniform float uf_maxSaturation;...//maximum saturation value (between 0 and 1)....uniform float uf_colormapTable[256];.//float-packed RGB colors (max: 256)..uniform float uf_colormapSize;...//colormap size (as a float as we only use it as a float!)..uniform float uf_colorGray;....//color for grayed-out points....void main(void)..{...//input: gl_Color...// - gl_Color[0] = normalized scalar value...// - gl_Color[1] = flag: whether point should be grayed (< 1.0) or not (1.0)...// - gl_Color[2] = true lighting value...//output: gl_FragColor......vec3 unpackedValues = vec3(1.0, 256.0, 65536.0);......if (gl_Color[1] > 0.99) //0.99 to cope with round-off issues (in perspective mode for instance)...{....//determine position in current colormap....int rampPosi;....if (gl_Color[0] <= uf_minSaturation).....rampPosi = 0;....else if (gl_Color[0] < uf_ma

                                          C:\Program Files\CloudCompare\shaders\ColorRamp\is-GNU6M.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1493
                                          Entropy (8bit):5.139795787271186
                                          Encrypted:false
                                          SSDEEP:24:lAYN3N2/SGxAW1SGzAZ9CbO9YuX/kQGzi9F/gIeomQBfNiMTZrkw2wlGhvHyV:lhNY/SCfvAZqOL/lGzi9u8muiMTZrkw1
                                          MD5:2FE6DA9614E33E9DF2B01DB6E993593C
                                          SHA1:DD08737C5E040152A17F0A286F20D19124912FF8
                                          SHA-256:DA55F4ED9DE650E3197F708DB714789F184624A24E23BB62B7CABF70EA9850CA
                                          SHA-512:6DE06B2682483F8C28E2225E5D5D17CAFA8E3477AD67A9E88BE4CE30DE7F3175EA08D5D2D6CCBD71BF5C94A4302A4193E44EE18D1350FC8AD5BECD87ED065B6C
                                          Malicious:false
                                          Reputation:low
                                          Preview:#version 110....// Color Ramp Shader (CloudCompare - 04/23/2013)....uniform float uf_minSaturation;...//minimum saturation value (between 0 and 1)..uniform float uf_maxSaturation;...//maximum saturation value (between 0 and 1)....uniform float uf_colormapTable[256];.//float-packed RGB colors (max: 256)..uniform float uf_colormapSize;...//colormap size (as a float as we only use it as a float!)..uniform float uf_colorGray;....//color for grayed-out points....void main(void)..{...//input: gl_Color...// - gl_Color[0] = normalized scalar value...// - gl_Color[1] = flag: whether point should be grayed (< 1.0) or not (1.0)...// - gl_Color[2] = true lighting value...//output: gl_FragColor......vec3 unpackedValues = vec3(1.0, 256.0, 65536.0);......if (gl_Color[1] > 0.99) //0.99 to cope with round-off issues (in perspective mode for instance)...{....//determine position in current colormap....int rampPosi;....if (gl_Color[0] <= uf_minSaturation).....rampPosi = 0;....else if (gl_Color[0] < uf_ma

                                          C:\Program Files\CloudCompare\shaders\DrawNormals\DrawNormals.fs (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):78
                                          Entropy (8bit):4.483574097306791
                                          Encrypted:false
                                          SSDEEP:3:eMDuVuGsARF+DGtUC9ztMfFv:eMyVfsAj+DGeQztKFv
                                          MD5:1FFC70357549CB8D436AC4BE9B04AD45
                                          SHA1:D34A2F8B2356801B35547DA446A7D61896C65780
                                          SHA-256:704D8EB9A2C769AA323CF7B22F4389F519B63242B3CA5B96B5568B380B71371A
                                          SHA-512:E6243A7FEE1F16D267BA5F14CAEEA6637D67AB91911FFF58D337AA4CC0650F254D5028A28513D19E2BD6086564AC03F98790224C9E1B497EC9087132CA382C2D
                                          Malicious:false
                                          Reputation:low
                                          Preview:uniform mediump vec4 color;....void main(void)..{...gl_FragColor = color;..}..

                                          C:\Program Files\CloudCompare\shaders\DrawNormals\DrawNormals.gs (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):500
                                          Entropy (8bit):4.941886416524513
                                          Encrypted:false
                                          SSDEEP:12:1Q5dYXqemvBfMA9dt4XDXAeoQf3/t4yBdR/t4bIBddY:UdYXlmqAQXAajIIjdY
                                          MD5:9E15D4ACA879CDBFA295C44181486640
                                          SHA1:AA6CDE1E894501C4D77A739A2FA3B59AA1019AAB
                                          SHA-256:7BF3E2343228E7B358748D65124237944FC3554E84C3231BCB32C203B4489DEC
                                          SHA-512:11490C58924AFFC1C94AEAC6EF3352DA9F4AACA75F9FB1A0601E9D24912138A284C1009D8C12DBF94C230B1841958C2E5B6E22A318009F0739FD856B2A5D81C0
                                          Malicious:false
                                          Reputation:low
                                          Preview:#version 330 core..layout (points) in;..layout (line_strip, max_vertices = 2) out;....in Vertex..{.. vec3 normal;..} vertex[];....uniform float normalLength;..uniform mat4 modelViewProjectionMatrix;......void main(void)..{...vec3 P = gl_in[0].gl_Position.xyz;.. vec3 N = vertex[0].normal;.... gl_Position = modelViewProjectionMatrix * vec4(P, 1.0);.. EmitVertex();.....gl_Position = modelViewProjectionMatrix * vec4(P + N * normalLength, 1);.. EmitVertex();.. .. EndPrimitive();..}

                                          C:\Program Files\CloudCompare\shaders\DrawNormals\DrawNormals.vs (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):194
                                          Entropy (8bit):4.752538927356536
                                          Encrypted:false
                                          SSDEEP:3:4RXMHyCNVpqF9qTHyCNVpqFVgAtF2RAIHTMgwTA2dQF+DG7YGrWAEOpbkY+nt:4xMS6p4uS6pzAtATzmA6Q+DGDjkYGt
                                          MD5:049C8D4D4C74118D63E6BD3B93602999
                                          SHA1:A164F8E6F8145CDFB292F3042C74AB829909E5D6
                                          SHA-256:BE9E508487D97A7507B0418B37F22619F83CC421104BF08F817A26E51223EE3A
                                          SHA-512:31F18BC03EF893FCDA9E6D10C6BCC8DC795E6881DE9037270D5C5A8A16B42DA4DD57153421F2A3B675645472A6F28A0D2724749C32D75AB9EAB275E0F1B72CF4
                                          Malicious:false
                                          Reputation:low
                                          Preview:attribute highp vec3 vertexIn;..attribute highp vec3 normal;....out Vertex..{.. vec3 normal;..} vertex;....void main(void)..{...gl_Position = vec4(vertexIn, 1.0);...vertex.normal = normal;..}..

                                          C:\Program Files\CloudCompare\shaders\DrawNormals\is-5C51S.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):78
                                          Entropy (8bit):4.483574097306791
                                          Encrypted:false
                                          SSDEEP:3:eMDuVuGsARF+DGtUC9ztMfFv:eMyVfsAj+DGeQztKFv
                                          MD5:1FFC70357549CB8D436AC4BE9B04AD45
                                          SHA1:D34A2F8B2356801B35547DA446A7D61896C65780
                                          SHA-256:704D8EB9A2C769AA323CF7B22F4389F519B63242B3CA5B96B5568B380B71371A
                                          SHA-512:E6243A7FEE1F16D267BA5F14CAEEA6637D67AB91911FFF58D337AA4CC0650F254D5028A28513D19E2BD6086564AC03F98790224C9E1B497EC9087132CA382C2D
                                          Malicious:false
                                          Reputation:low
                                          Preview:uniform mediump vec4 color;....void main(void)..{...gl_FragColor = color;..}..

                                          C:\Program Files\CloudCompare\shaders\DrawNormals\is-AJJK2.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):500
                                          Entropy (8bit):4.941886416524513
                                          Encrypted:false
                                          SSDEEP:12:1Q5dYXqemvBfMA9dt4XDXAeoQf3/t4yBdR/t4bIBddY:UdYXlmqAQXAajIIjdY
                                          MD5:9E15D4ACA879CDBFA295C44181486640
                                          SHA1:AA6CDE1E894501C4D77A739A2FA3B59AA1019AAB
                                          SHA-256:7BF3E2343228E7B358748D65124237944FC3554E84C3231BCB32C203B4489DEC
                                          SHA-512:11490C58924AFFC1C94AEAC6EF3352DA9F4AACA75F9FB1A0601E9D24912138A284C1009D8C12DBF94C230B1841958C2E5B6E22A318009F0739FD856B2A5D81C0
                                          Malicious:false
                                          Reputation:low
                                          Preview:#version 330 core..layout (points) in;..layout (line_strip, max_vertices = 2) out;....in Vertex..{.. vec3 normal;..} vertex[];....uniform float normalLength;..uniform mat4 modelViewProjectionMatrix;......void main(void)..{...vec3 P = gl_in[0].gl_Position.xyz;.. vec3 N = vertex[0].normal;.... gl_Position = modelViewProjectionMatrix * vec4(P, 1.0);.. EmitVertex();.....gl_Position = modelViewProjectionMatrix * vec4(P + N * normalLength, 1);.. EmitVertex();.. .. EndPrimitive();..}

                                          C:\Program Files\CloudCompare\shaders\DrawNormals\is-LN22A.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:C source, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):194
                                          Entropy (8bit):4.752538927356536
                                          Encrypted:false
                                          SSDEEP:3:4RXMHyCNVpqF9qTHyCNVpqFVgAtF2RAIHTMgwTA2dQF+DG7YGrWAEOpbkY+nt:4xMS6p4uS6pzAtATzmA6Q+DGDjkYGt
                                          MD5:049C8D4D4C74118D63E6BD3B93602999
                                          SHA1:A164F8E6F8145CDFB292F3042C74AB829909E5D6
                                          SHA-256:BE9E508487D97A7507B0418B37F22619F83CC421104BF08F817A26E51223EE3A
                                          SHA-512:31F18BC03EF893FCDA9E6D10C6BCC8DC795E6881DE9037270D5C5A8A16B42DA4DD57153421F2A3B675645472A6F28A0D2724749C32D75AB9EAB275E0F1B72CF4
                                          Malicious:false
                                          Reputation:low
                                          Preview:attribute highp vec3 vertexIn;..attribute highp vec3 normal;....out Vertex..{.. vec3 normal;..} vertex;....void main(void)..{...gl_Position = vec4(vertexIn, 1.0);...vertex.normal = normal;..}..

                                          C:\Program Files\CloudCompare\shaders\EDL\edl_mix.frag (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1318
                                          Entropy (8bit):5.044374735527496
                                          Encrypted:false
                                          SSDEEP:24:PAonNznXTAXxXGXcuuIP1SfLKTqo9bRhCRsfuRznaRz6Rz59K8:jn1EBWsuuIPq2r3+9F
                                          MD5:77BDBFB03ED4EF0DD94B8DF011B49539
                                          SHA1:E18E3DB7B10E05FD10FBEB7309E0B7965990A087
                                          SHA-256:5BFC1464DBA215315ACF03FF79F026A1B86CC9845DBFC08079D54F4A7BB7012D
                                          SHA-512:7ACB2A78C42F7C80E57B515934D9B96F8A70002807368E03AD3CE6F434E549680A68B43BD975CC6023DF016DF0F51FF4C9EE6AD4A5FF1DC4F17ECCDF8F57E73D
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting.-.Compositing..//..//..C.B. - 04/23/2008..//..D.G-M. - 10/21/2010..//..//.IN:..//..s2_I1..-.full scale shading image..//..s2_I2..-.half-size shading image..//..s2_I4..-.quarter-size shading image..//..s2_D..-.depth image..//.OUT:..//..composited image..//..//////////////////////////////////////////////////////////////////////////////////////..//#extension GL_ARB_draw_buffers : enable..../**************************************************/..uniform.sampler2D.s2_I1;.//.X1 scale..uniform sampler2D.s2_I2;.//.X2 scale..uniform sampler2D.s2_I4;.//.X4 scale..uniform sampler2D.s2_D;.// initial depth texture..//..uniform float..A0;..uniform float..A1;..uniform float..A2;../**************************************************/....void main (void)..{...float d = texture2D(s2_D,gl_TexCoord[0].st).r;...if( d > 0.999)...{....gl_FragData[0].rgb = texture2D(s2_I1,gl_TexCoord[0].st).rgb

                                          C:\Program Files\CloudCompare\shaders\EDL\edl_mix.vert (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):535
                                          Entropy (8bit):4.083502322762377
                                          Encrypted:false
                                          SSDEEP:12:PAonNBFXXEX6cAX6LrPYX6i5YX6vIDREyS90S2xst:PAonNBFkXTAXxXGXv4
                                          MD5:06459F93E931EB1B37A11A009528956F
                                          SHA1:37871AE603F3B77AB0D98531B034F03F2E308C5C
                                          SHA-256:4A33B591ED0990CDD03D3BCD4EDFEAC0E40AFF413D57E087AFB6D73909C27E24
                                          SHA-512:92E49398C4F6402F679541631B2148D280FB2F261D98C27AF564D9178AF926F284340F7557F5945DE70F746FFDE8F8971BA61A0D31828570F70430A55E42398A
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting.-.Compositing..//..//..C.B. - 23 avril 2008..//..//.IN:...//..s2_I1..-.full scale shading image..//..s2_I2..-.half-size shading image..//..s2_I4..-.quarter-size shading image..//..s2_D..-.depth image..//.OUT:...//..composited image..//..//////////////////////////////////////////////////////////////////////////////////////..void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;....gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\shaders\EDL\edl_shade.frag (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2752
                                          Entropy (8bit):5.165830354759113
                                          Encrypted:false
                                          SSDEEP:48:jnDKCC0lDn2eeCQEYyq88Ubro5yyHFyJ/kQasAADLFPaB6Yp0g9:jnDKC90y1vo5ZMJ1asAAXhaB6Yug9
                                          MD5:13AC0F89F28390C4A112E21988A32B15
                                          SHA1:0025C25A822F6724D5D2E1EBB9A3374773CEB391
                                          SHA-256:E54BD02726535231A7764A41CBF17B88D257344518212839DCE42EA3B263BD5F
                                          SHA-512:80819A1563A961EAB7388B1BC2C7C9D7585B15A5153DAD28BDB05C5B1A173A18EAE7573F531530DC2D1996A5F16E2ED4545906ABD4692E48269AD680D2234DF4
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting - oriented light version..//..//..C.B. - 04/23/2008..//..D.G-M. - 10/21/2010..//..D.G-M. - 02/17/2014..//..//.IN:. Depth buffer of the scene..//...r (red component) = recorded z..//.OUT:.EDL shaded image..//..///////////////////////////////////////////////////////////////////////////////////////..//#extension GL_ARB_draw_buffers : enable..//#version 110..../**************************************************/..uniform.sampler2D.s1_color;..uniform.sampler2D.s2_depth;....uniform float..Pix_scale;....// (relative) pixel scale in image..uniform vec2..Neigh_pos_2D[8];..// array of neighbors (2D positions)..uniform float..Exp_scale;....// exponential scale factor (for computed AO)....uniform float..Zm;......// minimal depth in image..uniform float..ZM;......// maximal depth in image....uniform float..Sx;......// screen width (pix)..uniform float..Sy;......// screen heigh

                                          C:\Program Files\CloudCompare\shaders\EDL\edl_shade.vert (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):429
                                          Entropy (8bit):3.810326833847726
                                          Encrypted:false
                                          SSDEEP:6:eUAY5nTPkFXC5yqfMeLDtxG7GEyS90S2x1Qpt:PAongFX8LDtcqEyS90S2xst
                                          MD5:157661B48C7FB9C9423CD2BA933ED373
                                          SHA1:C1446AA6649137E25C4A269905473AC84CB96E8B
                                          SHA-256:C0DFD4C7CC4FBBFF34B3107E97EBE6E7A1EC90064A5AF1F48FFAB24AEE02AC0F
                                          SHA-512:CE2D36526701B3F06A5B069FF5C0265D430BF30EC8537636C8D8CA0D739CF87D040E50AD3DFF740FEC9140229339460B86FE6BB171DD9D355872239EE66EC5A6
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting..//..//..C.B. - 23 avril 2008..//..//.IN:.Depth buffer of the scene..//...r = recorded z, in [0:1]..//.OUT:.EDL shaded image..//..///////////////////////////////////////////////////////////////////////////////////////..void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;....gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\shaders\EDL\is-28PND.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2752
                                          Entropy (8bit):5.165830354759113
                                          Encrypted:false
                                          SSDEEP:48:jnDKCC0lDn2eeCQEYyq88Ubro5yyHFyJ/kQasAADLFPaB6Yp0g9:jnDKC90y1vo5ZMJ1asAAXhaB6Yug9
                                          MD5:13AC0F89F28390C4A112E21988A32B15
                                          SHA1:0025C25A822F6724D5D2E1EBB9A3374773CEB391
                                          SHA-256:E54BD02726535231A7764A41CBF17B88D257344518212839DCE42EA3B263BD5F
                                          SHA-512:80819A1563A961EAB7388B1BC2C7C9D7585B15A5153DAD28BDB05C5B1A173A18EAE7573F531530DC2D1996A5F16E2ED4545906ABD4692E48269AD680D2234DF4
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting - oriented light version..//..//..C.B. - 04/23/2008..//..D.G-M. - 10/21/2010..//..D.G-M. - 02/17/2014..//..//.IN:. Depth buffer of the scene..//...r (red component) = recorded z..//.OUT:.EDL shaded image..//..///////////////////////////////////////////////////////////////////////////////////////..//#extension GL_ARB_draw_buffers : enable..//#version 110..../**************************************************/..uniform.sampler2D.s1_color;..uniform.sampler2D.s2_depth;....uniform float..Pix_scale;....// (relative) pixel scale in image..uniform vec2..Neigh_pos_2D[8];..// array of neighbors (2D positions)..uniform float..Exp_scale;....// exponential scale factor (for computed AO)....uniform float..Zm;......// minimal depth in image..uniform float..ZM;......// maximal depth in image....uniform float..Sx;......// screen width (pix)..uniform float..Sy;......// screen heigh

                                          C:\Program Files\CloudCompare\shaders\EDL\is-6I1PT.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):429
                                          Entropy (8bit):3.810326833847726
                                          Encrypted:false
                                          SSDEEP:6:eUAY5nTPkFXC5yqfMeLDtxG7GEyS90S2x1Qpt:PAongFX8LDtcqEyS90S2xst
                                          MD5:157661B48C7FB9C9423CD2BA933ED373
                                          SHA1:C1446AA6649137E25C4A269905473AC84CB96E8B
                                          SHA-256:C0DFD4C7CC4FBBFF34B3107E97EBE6E7A1EC90064A5AF1F48FFAB24AEE02AC0F
                                          SHA-512:CE2D36526701B3F06A5B069FF5C0265D430BF30EC8537636C8D8CA0D739CF87D040E50AD3DFF740FEC9140229339460B86FE6BB171DD9D355872239EE66EC5A6
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting..//..//..C.B. - 23 avril 2008..//..//.IN:.Depth buffer of the scene..//...r = recorded z, in [0:1]..//.OUT:.EDL shaded image..//..///////////////////////////////////////////////////////////////////////////////////////..void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;....gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\shaders\EDL\is-EQE9P.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1318
                                          Entropy (8bit):5.044374735527496
                                          Encrypted:false
                                          SSDEEP:24:PAonNznXTAXxXGXcuuIP1SfLKTqo9bRhCRsfuRznaRz6Rz59K8:jn1EBWsuuIPq2r3+9F
                                          MD5:77BDBFB03ED4EF0DD94B8DF011B49539
                                          SHA1:E18E3DB7B10E05FD10FBEB7309E0B7965990A087
                                          SHA-256:5BFC1464DBA215315ACF03FF79F026A1B86CC9845DBFC08079D54F4A7BB7012D
                                          SHA-512:7ACB2A78C42F7C80E57B515934D9B96F8A70002807368E03AD3CE6F434E549680A68B43BD975CC6023DF016DF0F51FF4C9EE6AD4A5FF1DC4F17ECCDF8F57E73D
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting.-.Compositing..//..//..C.B. - 04/23/2008..//..D.G-M. - 10/21/2010..//..//.IN:..//..s2_I1..-.full scale shading image..//..s2_I2..-.half-size shading image..//..s2_I4..-.quarter-size shading image..//..s2_D..-.depth image..//.OUT:..//..composited image..//..//////////////////////////////////////////////////////////////////////////////////////..//#extension GL_ARB_draw_buffers : enable..../**************************************************/..uniform.sampler2D.s2_I1;.//.X1 scale..uniform sampler2D.s2_I2;.//.X2 scale..uniform sampler2D.s2_I4;.//.X4 scale..uniform sampler2D.s2_D;.// initial depth texture..//..uniform float..A0;..uniform float..A1;..uniform float..A2;../**************************************************/....void main (void)..{...float d = texture2D(s2_D,gl_TexCoord[0].st).r;...if( d > 0.999)...{....gl_FragData[0].rgb = texture2D(s2_I1,gl_TexCoord[0].st).rgb

                                          C:\Program Files\CloudCompare\shaders\EDL\is-SE7GB.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):535
                                          Entropy (8bit):4.083502322762377
                                          Encrypted:false
                                          SSDEEP:12:PAonNBFXXEX6cAX6LrPYX6i5YX6vIDREyS90S2xst:PAonNBFkXTAXxXGXv4
                                          MD5:06459F93E931EB1B37A11A009528956F
                                          SHA1:37871AE603F3B77AB0D98531B034F03F2E308C5C
                                          SHA-256:4A33B591ED0990CDD03D3BCD4EDFEAC0E40AFF413D57E087AFB6D73909C27E24
                                          SHA-512:92E49398C4F6402F679541631B2148D280FB2F261D98C27AF564D9178AF926F284340F7557F5945DE70F746FFDE8F8971BA61A0D31828570F70430A55E42398A
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.EyeDome Lighting.-.Compositing..//..//..C.B. - 23 avril 2008..//..//.IN:...//..s2_I1..-.full scale shading image..//..s2_I2..-.half-size shading image..//..s2_I4..-.quarter-size shading image..//..s2_D..-.depth image..//.OUT:...//..composited image..//..//////////////////////////////////////////////////////////////////////////////////////..void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;....gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\shaders\SSAO\is-RDTS8.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):452
                                          Entropy (8bit):3.924773619817995
                                          Encrypted:false
                                          SSDEEP:6:eUAxnQy+G+5CUQe8ixibWUaTTEyS90S2x1Qpt:PAxd5fUQVixWYTEyS90S2xst
                                          MD5:8721B966217FAD5523761FBB6A0397F5
                                          SHA1:F940E461D69299D1DB3A0FA89F0F4991B6F57CE7
                                          SHA-256:0BF3FE472D045CACC5B31685600965B24EBED800FE6713904D55E143751BFC11
                                          SHA-512:ED09207794F9578FC87E9DA65A044F2516B22BE58AA5DCE73B2BB2B86E0603F6DC6310218A2897ECE956555D8D8D8DA977534C719890C1AB05B43AB2CEA2F7C1
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Screen Space Ambient Occlusion..//..//..C.B. - 5 march 2008..//..Adapted from notes by Crytek and Inigo Quilez..//..//.OUT:.gl_TexCoord[0].-.viewport coordinates..//..////////////////////////////////////////////////////////////////////////////////////////....void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;....gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\shaders\SSAO\is-VTJ2O.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2146
                                          Entropy (8bit):4.727927174433521
                                          Encrypted:false
                                          SSDEEP:24:PAxP6UQZLDz9AewBrCMD+k/oYmS08B1D/X3RNBhqIcURiYc5MHG7fRz0nZvl3/68:E6UE/JDAqYmHGBhqVOHGSZR65Zc1xZ
                                          MD5:8DAFF0D8D1933FEDF30066894DADF46A
                                          SHA1:C1C5325C136C53461151C2C6611D8DD2BC0CB58E
                                          SHA-256:D32EB2AE3279762DAF211C7C347638A0D0DBBEE98EB6E5CC634B0D3AC864ACB0
                                          SHA-512:BF43A470FDA5CE536D483BB35566A49111A60B4B103935BD8470CD543D39B4B819438BE8F3517D096E05654AE5C8A732110F808048A8D0EBA426DDF148CD1F67
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Screen Space Ambient Occlusion..//..//..C.B. - 03/05/2008..//..D.G-M. - 10/22/2010..//..Adapted from notes by Crytek and Inigo Quilez..//..//.IN:.Depth buffer of the scene..//...r = recorded z, in [0:1]..//.OUT:.AO shaded image..//..////////////////////////////////////////////////////////////////////////////////////////....//#extension GL_ARB_draw_buffers : enable....//////////////////////////////////////////////////////////////////////////////////////..//..uniform.sampler2D.s2_Z;..uniform sampler2D.s2_R;..uniform sampler2D.s2_C;....uniform float.R;..//.Radius of neighborhood sphere..uniform.float.F;..//.Amplification of shading..uniform float.Kz;..//.distance attenuation factor..uniform int. B_REF;..//.if 1 use random reflect of neighbours..uniform vec3.P[256];..//.The Neighbours in unit sphere..const.int. N = 32;..//.Number of neighbouri..//..//////////////////////////////////

                                          C:\Program Files\CloudCompare\shaders\SSAO\ssao.frag (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2146
                                          Entropy (8bit):4.727927174433521
                                          Encrypted:false
                                          SSDEEP:24:PAxP6UQZLDz9AewBrCMD+k/oYmS08B1D/X3RNBhqIcURiYc5MHG7fRz0nZvl3/68:E6UE/JDAqYmHGBhqVOHGSZR65Zc1xZ
                                          MD5:8DAFF0D8D1933FEDF30066894DADF46A
                                          SHA1:C1C5325C136C53461151C2C6611D8DD2BC0CB58E
                                          SHA-256:D32EB2AE3279762DAF211C7C347638A0D0DBBEE98EB6E5CC634B0D3AC864ACB0
                                          SHA-512:BF43A470FDA5CE536D483BB35566A49111A60B4B103935BD8470CD543D39B4B819438BE8F3517D096E05654AE5C8A732110F808048A8D0EBA426DDF148CD1F67
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Screen Space Ambient Occlusion..//..//..C.B. - 03/05/2008..//..D.G-M. - 10/22/2010..//..Adapted from notes by Crytek and Inigo Quilez..//..//.IN:.Depth buffer of the scene..//...r = recorded z, in [0:1]..//.OUT:.AO shaded image..//..////////////////////////////////////////////////////////////////////////////////////////....//#extension GL_ARB_draw_buffers : enable....//////////////////////////////////////////////////////////////////////////////////////..//..uniform.sampler2D.s2_Z;..uniform sampler2D.s2_R;..uniform sampler2D.s2_C;....uniform float.R;..//.Radius of neighborhood sphere..uniform.float.F;..//.Amplification of shading..uniform float.Kz;..//.distance attenuation factor..uniform int. B_REF;..//.if 1 use random reflect of neighbours..uniform vec3.P[256];..//.The Neighbours in unit sphere..const.int. N = 32;..//.Number of neighbouri..//..//////////////////////////////////

                                          C:\Program Files\CloudCompare\shaders\SSAO\ssao.vert (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):452
                                          Entropy (8bit):3.924773619817995
                                          Encrypted:false
                                          SSDEEP:6:eUAxnQy+G+5CUQe8ixibWUaTTEyS90S2x1Qpt:PAxd5fUQVixWYTEyS90S2xst
                                          MD5:8721B966217FAD5523761FBB6A0397F5
                                          SHA1:F940E461D69299D1DB3A0FA89F0F4991B6F57CE7
                                          SHA-256:0BF3FE472D045CACC5B31685600965B24EBED800FE6713904D55E143751BFC11
                                          SHA-512:ED09207794F9578FC87E9DA65A044F2516B22BE58AA5DCE73B2BB2B86E0603F6DC6310218A2897ECE956555D8D8D8DA977534C719890C1AB05B43AB2CEA2F7C1
                                          Malicious:false
                                          Reputation:low
                                          Preview://////////////////////////////////////////////////////////////////////////////////////..//..//..//.Screen Space Ambient Occlusion..//..//..C.B. - 5 march 2008..//..Adapted from notes by Crytek and Inigo Quilez..//..//.OUT:.gl_TexCoord[0].-.viewport coordinates..//..////////////////////////////////////////////////////////////////////////////////////////....void.main ()..{...gl_TexCoord[0].=.gl_MultiTexCoord0;....gl_Position =.ftransform ();..}..

                                          C:\Program Files\CloudCompare\spatialite.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):11594752
                                          Entropy (8bit):5.8614931256398926
                                          Encrypted:false
                                          SSDEEP:49152:NNzpamKhw2a6O4ZycLPqxfXj9fKtYdOMiyys0dRssdkVEMNMndxm7mBU0915ROHU:ocdiDDMEf0Ff7IMHSdj
                                          MD5:7EF9CF9E7604E9E4728E63A85C9F5BEC
                                          SHA1:89BDDE3F68645FB7BE3F21A970B6E3AF8C750704
                                          SHA-256:66F741623E01E7204664D58750A44100D5342BCA0706EA58396DE925AE3041EB
                                          SHA-512:74BF0C9884C02B9827E1D80067535C1039A38C6DBE64695ABFF6C4CC10738A951FE72F7069376594BABA26B468D6046DE1A1650D4CA7D985AA77CB3C1B46BA90
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.<.^.o.^.o.^.or..o.^.o...o.^.o1..o.^.o...o.^.o../o.^.o...o.^.o...o.^.o.^.o._.o../o.^.o...o.^.o...o.^.oRich.^.o................PE..d..._`.V.........." .....8H...h.......H......................................P............`..........................................J..X.....................T............@..h...`VH.8...........................p.H.p...........................................text...96H......8H................. ..`.rdata......PH......<H.............@..@.data...1.d...K...d...J.............@....pdata.............................@..@.idata...A......B..................@..@.reloc.......@.....................@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\sqlite3.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):898048
                                          Entropy (8bit):6.498739548040389
                                          Encrypted:false
                                          SSDEEP:24576:mdk0Ytz7DREjBqXwuAOL7fjiV8t6f5xl4o9DCf:71tvDREjB01AOL7fn6fTeo9DM
                                          MD5:425A907E436D0FF71889DA0BF481DDD6
                                          SHA1:50D34868FADA4D532219F5B5252933757DAFFE04
                                          SHA-256:E4434FCF8C9DB1C3A09D4585B3AB4C47C6C6071A6117875544347068EEC84FF1
                                          SHA-512:E0F4938444DAE10DE8B47001482B4F5441BDB3C14D3AFB672A8D87B41756C9B6A28CFF643755A03E2A0F4F3CBC341A9FA34586B7A6B6DE4A9CC479D49BE1B9BD
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$...`...`...`....U\.c...`.......&.v.@...&.w.....&.H.j...m.w.a...m.K.a...m.I.a...Rich`...........PE..d...._.V.........." .................&....................................................`.........................................@^.......y..(............`..L............... .......................................p............................................text...=........................... ..`.rdata..............................@..@.data...8............r..............@....pdata..L....`......................@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\ssleay32.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):342016
                                          Entropy (8bit):6.124318304938587
                                          Encrypted:false
                                          SSDEEP:6144:vSqToXHt3rCtyUh3tizLg0SKiKxKDxrPnowU8s/bOgYP/8nU9EqTBD70eIzFvP6t:vSEoXHt3rwyUh3kz80SKVxKDdvowUj/C
                                          MD5:CE7CFCEA2D533B47372AC342E0BC56A3
                                          SHA1:ACBF16636AB30277983FED1E0401A9439CA1CF83
                                          SHA-256:AC6FD3101AC471A007693444153F7796ACD427C4B5E91BFEBCF015F0B95C6C08
                                          SHA-512:134ACDB8EF1828074D145FACA41EA4BA269BAC0C038B24BAAC9A955D78557E290DCEDD727FCCE29D772D51E5763B8ED5BCB4AFA96C21209FF73BDF4242F0E4F3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......[.P...>...>...>..?....>.Y.....>.Y.....>.Y.....>.Y.....>.......>...?..>.....0.>.......>.......>.......>.Rich..>.................PE..d...q..T.........." .....v...........}....................................................`.........................................@...p$......P....`..@....0...&...........p..L...P...8...............................p............................................text....t.......v.................. ..`.rdata..............z..............@..@.data...p....0......................@....pdata...&...0...(..................@..@.rsrc...@....`.......&..............@..@.reloc..L....p.......,..............@..B................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\start.bat (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):31
                                          Entropy (8bit):4.373551149096553
                                          Encrypted:false
                                          SSDEEP:3:lLWQfZfd9:RWCpd9
                                          MD5:D3FC27613FF7EBD51808D0A0DB4D0FC9
                                          SHA1:E7E8F95165C18B542653B21FB71F970A03BE60E0
                                          SHA-256:9D5C9D8C3035D78040D5323DF783EA085EEFBED8780893139D30BAA3BD9E6455
                                          SHA-512:31B7CCDC6746CBA7B95CA51D93BA3F496DB64650CB716E0DBB4DCC46047065DF60BFDCA7C390CAACBE77D9AD17FF6084DFE5CE076ACB4EC30BC2EC95DA2A3B52
                                          Malicious:false
                                          Reputation:low
                                          Preview:@set PATH=...CloudCompare.exe..

                                          C:\Program Files\CloudCompare\styles\is-A61TV.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):144368
                                          Entropy (8bit):6.294675868932723
                                          Encrypted:false
                                          SSDEEP:3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
                                          MD5:53A85F51054B7D58D8AD7C36975ACB96
                                          SHA1:893A757CA01472A96FB913D436AA9F8CFB2A297F
                                          SHA-256:D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
                                          SHA-512:35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\styles\qwindowsvistastyle.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):144368
                                          Entropy (8bit):6.294675868932723
                                          Encrypted:false
                                          SSDEEP:3072:rrjwZ43rCOtrBk7wcR0l7wBlaL6BtIEt51T0Nhkqg8FoQY:7hZu9R0l7wFBtIEt51T0Nuqg8JY
                                          MD5:53A85F51054B7D58D8AD7C36975ACB96
                                          SHA1:893A757CA01472A96FB913D436AA9F8CFB2A297F
                                          SHA-256:D9B21182952682FE7BA63AF1DF24E23ACE592C35B3F31ECEEF9F0EABEB5881B9
                                          SHA-512:35957964213B41F1F21B860B03458404FBF11DAF03D102FBEA8C2B2F249050CEFBB348EDC3F22D8ECC3CB8ABFDC44215C2DC9DA029B4F93A7F40197BD0C16960
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......R._...1]..1]..1]..]..1]..0\..1]..5\..1]..2\..1]..4\..1]..0\..1]..0\..1]..0]..1]..4\..1]..1\..1]...]..1]..3\..1]Rich..1]........................PE..d...`._.........." .....\...........`.......................................`......wJ....`................................................. ........@..X.... ...............P.........T...................`...(...0...0............p...............................text....Z.......\.................. ..`.rdata......p.......`..............@..@.data...............................@....pdata....... ......................@..@.qtmetadm....0......................@..P.rsrc...X....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\swresample-4.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):640512
                                          Entropy (8bit):6.552116885372862
                                          Encrypted:false
                                          SSDEEP:12288:ltu3Vl+FYgd6Y5uvdrc7vBPj9KhPkLpLYz:ltu3VlfdY5Mdrc7vN91NLO
                                          MD5:533F81EB1CDADD117C5D0B2D75CE0D8A
                                          SHA1:C6003769F1CC324F7AEC324F1626A25D7396008D
                                          SHA-256:65F029D7DB3B4F4D372E89D490A77BDC43934563C5EE70E7501E12DEFFC79E5C
                                          SHA-512:56636DE5D2A61D9CF8F0DAFAB2CA8514885374B0C87B38766DC53EB5C84F8BD281D4451E8B20481B223A8428DCD34653D7106CA130AD7186DEC99C655CBC9892
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*.:.......`..0...............................................?.....`... ...................................... .......0..\....p.......@..l0..............h........................... ...(....................6..h............................text...p9.......:..................`..`.data........P.......>..............@....rdata..P....`.......H..............@..@.pdata..l0...@...2...$..............@..@.xdata...>.......@...V..............@..@.bss....p_...............................edata....... ......................@..@.idata..\....0......................@....CRT....`....P......................@....tls.........`......................@....rsrc........p......................@..@.reloc..h...........................@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\swscale-7.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                          Category:dropped
                                          Size (bytes):646656
                                          Entropy (8bit):6.609281858827991
                                          Encrypted:false
                                          SSDEEP:12288:OglwOtpxXkR8AePKhBWvtUcvmfc1TnKGJfSBZHllBNlRCDddyNdtsprNE2:O4wOtpxXkR8AePKhBWvtUcvkc1qHlhlW
                                          MD5:59F908380C488F066D712014EEFF5BD7
                                          SHA1:CBA52F89D7E9087F694CB7D6958A80B6858EED75
                                          SHA-256:7F6FEAD1AA53772FD657D4462826E042B8F2049D3C3BBB493752F22B058F3A78
                                          SHA-512:D7E2E459B417B9C23CAAAE3843442048035DEF57F7ED679999EBFAD648E2455E0E6E0BC4FE229D62F7BDD7ED94D6C86156EE4CB7ED0A7C742F3B81CD2D3FFCDB
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....#f..........."...*............0...............................................],....`... ......................................p.......................p.../..........................................`<..(...................@...P............................text...............................`..`.data...`...........................@....rdata...x.......z..................@..@.pdata.../...p...0...J..............@..@.xdata...:.......<...z..............@..@.bss....@................................edata.......p......................@..@.idata..............................@....CRT....`...........................@....tls................................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................

                                          C:\Program Files\CloudCompare\szip.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):48640
                                          Entropy (8bit):6.318600850824361
                                          Encrypted:false
                                          SSDEEP:384:OAsSKWgciQhMwpuEEXd6erEvCZ9dWVQlmg5EP+Bs4mw0z4KVX055VuPXkr/YuPCQ:j2sbAQE7WSgPws4mn5ahJ0yzK777cF
                                          MD5:4689FC376ACE9A9BD7C9B313850EC0BF
                                          SHA1:7E9C5BF39F0AF67983433F2459B08548C7542338
                                          SHA-256:E221514B68083A2F57B8441433A197A07D569F4038D8F0BD68F1734D95F9A456
                                          SHA-512:CA61E3BA794CEF6B53C06D34B17770363BC4FD9A436EF23111190321ABE0E1D606891B11C13159D6B3685385B09511E3A2FED2532B991CFC7883E8B0061C243F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............d...d...d...5r..d...5p..d...5O..d...5N..d..d.d..d...d...d...6O..d...6s..d...6t..d...6q..d..Rich.d..................PE..d......T.........." ................h.....................................................`............................................(.......<....`.......P..T............p.. .......................................p............................................text............................... ..`.rdata..............................@..@.data..............................@....pdata..T....P......................@..@.rsrc........`......................@..@.reloc.. ....p......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\tbb.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):261872
                                          Entropy (8bit):6.124188159004726
                                          Encrypted:false
                                          SSDEEP:3072:Td//dQmubTGzYPhdKbN/0mXNiL1JNUdvjyLBl2ndaLemXqiTlN/cozR6hyYGHs:YHGSo/Dc1ZLBl2daLGixRcozR6hyns
                                          MD5:C974C7B8CC66714A4BE0A7FAC840D193
                                          SHA1:E83936D5E3A1939B5B830B043936D55D79376CBD
                                          SHA-256:DA5E47C1FBA5C990CF66C529DA15EC050E3BA50EF9BEEE44AC8EC83A575E3569
                                          SHA-512:50C47CF18E354284CCEE0E370758EC5498B9D0769DC90141AFD458CC0D1D173423D12DD45E2EC140F5BAB4BADD017531FB81D6046340216ADD94B8BFF4553CA3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......,.<dh.R7h.R7h.R7a..7b.R7...7j.R7S.Q6k.R7S.W6|.R7S.V6c.R7h.S7..R7S.S6m.R7..W6M.R7..Q6k.R7..R6i.R7...7i.R7..P6i.R7Richh.R7........PE..d....D.W.........." .....Z...........S.......................................@.......]....`.............................................(>...l....... ..X....... 4......."...0.........T...........................P................p..p............................text....X.......Z.................. ..`.rdata.......p.......^..............@..@.data...pI...........h..............@....pdata.. 4.......6..................@..@.gfids..$...........................@..@.rsrc...X.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\tbbmalloc.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):123632
                                          Entropy (8bit):6.284281913194961
                                          Encrypted:false
                                          SSDEEP:3072:/SfUojZOKNl/EYtExUOpyMZ7VnHFcDbOdKO4:/SsYZOK7cxtpyMJFHFcDbO8O4
                                          MD5:F6B28E1272214B3B7134D792CE38F956
                                          SHA1:81767B15ADC49BA1E9CF16498D3E6D20CA93FF40
                                          SHA-256:EC3298F6A7BDE1D4CAB59BA629BBEE87A322D0EFDC8A59D87FF6D406240407B1
                                          SHA-512:4A40CD3320512D19B9F63C793351DC9A374615E8BA6EAFAD2AE7A1C6D9A92A152106FBB5F96AB01ECE3D87CBA4C5FD050524DCBE4842F4E12D5B2F09D778052B
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............T...T...T.eT...T...U...T&&=T...T...T...T...U...T...U...T...U...Ti..U...Ti..U...Ti..U...Ti..T...Ti..U...TRich...T........PE..d...LE.W.........." .....$..........(&.......................................@............`......................................................... ..@................"...0......0Y..T............................Y...............@.. ............................text....#.......$.................. ..`.rdata...K...@...L...(..............@..@.data....P.......$...t..............@....pdata..............................@..@.gfids..............................@..@.rsrc...@.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\translations\CloudCompare_chs.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):16
                                          Entropy (8bit):4.0
                                          Encrypted:false
                                          SSDEEP:3:j2wZC4n:CwZ
                                          MD5:BCEBCF42735C6849BDECBB77451021DD
                                          SHA1:4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
                                          SHA-256:9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
                                          SHA-512:F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`...

                                          C:\Program Files\CloudCompare\translations\CloudCompare_de.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):521134
                                          Entropy (8bit):4.716352469714204
                                          Encrypted:false
                                          SSDEEP:3072:/QRPXd59C54WJPXu0tQk0kaZRFtfms1B/AQ6fv7WSNPlitNS/SFAnINaXbtsh9ed:4PtPCsfhuj+g7YcVzsWAZCQepNTn
                                          MD5:5FF09C5E4C5737EC86CBB8B803D4EE1D
                                          SHA1:628157DE3381DFD45051A5D0669E41E86282912F
                                          SHA-256:71F1E7E4CD5AD771CF9DD031C4AD0EDB52B86355AFE0CAA362F20396FE9C7773
                                          SHA-512:78521DEF6AC6EE85B6736D4729C94D7C4066622F80345F6042AB977AB72842582F9157F88A9E3C47C4DFED69DAFA49273525300CD74960C38B1DB199F7EE8D88
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......deB..g....+.......0..:"...1..:@...1..0u...=.......A..5....A.......A..S....B..5+...B...M...B..S....C...V...C...&...D.......E.......L..X....M.._W...N..p....P...:...S.../...T...}...V.......X......Z...>...x..x.......4.......5U......5z......5.......5.......5.......6.......63...;...A...;..M....;..P....;..k....;...\...;......O..M....[..'F...v...Q..............U.......D...&....n..1...ZP..1.......1...9...1...H...1...yF..1...k...7...:...G.......H,...:..I@..5...IA..5-..Ih...(..Ih...w..I.......J...."..K...>...L?../...L...n...M...EW..M.......MR..]_..M....C..PP.../..PP..;...S.......S...x...S.......S...ac..S.......S...e~..T...q...V.......V....3..V...<...V...~=..W#..S...X.......X....b..X.......a... :..h,......h,..h...j....d..k.......k......s....!..s...i9..s......s...ig..v...V...xt......x...Wr..zr..G!..{....2..f.......f.......j......ms......w...........x................r..[..........Z......../......R........2..............................;.......^I......z....................E

                                          C:\Program Files\CloudCompare\translations\CloudCompare_es_AR.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):381344
                                          Entropy (8bit):4.669829345699403
                                          Encrypted:false
                                          SSDEEP:3072:OkBYIWUj1W4pL/HQk0kaf7HAQ+hcdaLIsabkjZFItfdKv0NMRTFSZ0SEWWC1vMhL:OkBFVj7Y7H6vdaOrzAnLKcfeoT3i
                                          MD5:7E515CB3FEB67498865D63BDFBFD6F8D
                                          SHA1:121EB386EA79599FD893A34DC43990CEADDAB093
                                          SHA-256:C7DCDCEFB2C9F5973F2A29B0DE986918B8226B09C807D7E6A2199DB077BCFBA3
                                          SHA-512:6D590D4D869C097B939404E07EF770AB9D7520DE819C12CD92E82EA79FDD452E2C4EBDD93E8C4D3573C81E941E101D9D1697579F84CF0017168097AD12DEDDEC
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......es_ARB..J....+.......=...,...A.. ....A...N...A..OS...B.. ....B.......B..O|...C.......C.......D...g...L...@...M...!...N.......P.......S.......V..8....Z..;....x..rs..............+.......P.......u.................................;...O...;..I....;..A....;..W....;......;..._...[.......v..................E...&...y!..1...T...1.......1...%...1...<...1...d...1...e...G.......H,..."..I@......IA......Ih......Ih......I.......J......K...*1..L?..Y...L...m^..M.......MR..J...M....{..PP...}..PP..&...S.......S...v...S.......S.......S.......S.......T....%..V.......V....s..V...(...V...h...X.......X.......X.......a...x...h,......h,..h...j.......k.......k.......s.......s.......s.......s...i...s.......s.......s.......s...i8..v...F...xt......f....?..f.......j...-M..ms......w....D..............}...........[...........V........<......M.......-........_...............u......K........................J...E.......E...e...E.......E...U...............#...........`...Q...`...e...........E.....

                                          C:\Program Files\CloudCompare\translations\CloudCompare_fr.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):53795
                                          Entropy (8bit):4.600892640452502
                                          Encrypted:false
                                          SSDEEP:768:GNexnUsfsWVZqugdji6gBG0dzWnhpDnlPhBvwtL/P6GMG:rKcd+pethR
                                          MD5:6A7D4CB69AC026B9A0DB6E51D3D78117
                                          SHA1:CBC9763F6E3B543127FB36F36384DB2A593D63BF
                                          SHA-256:961542E2B04EE03A56480040D5EF41AADC19D53BB5491B9867346D5FC9A3CA4F
                                          SHA-512:DD8F9969299A594C8F836F1760A65171EF466E66F3B881CF6FF357149CE40C3525FBEE9C6162B038D939877DD2EE5CE7A8D22953F11E023558E1FCB8940B274F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......fr_FRB... ...+..6e...D..X....M..u....P...|...Z..........g|......g.......h.......h9......h^......h.......h.......h....;...b...;..."..H,...#..I@..g...IA..g...J...Y!..M...k...T...{_..w...".......................).......*6...`..V....`..........+.......].......""......oR...................0..p...(....H..7...u...<...,`..<...x...<.......<.......VE......VE..2"..VE..4v..VE...J..VE...?..f...}...............!............U.......0..........(........L...................]..........(...............<..&.......&...."W.&....*..&....+..&....2..&.......&.......&.......'p..."..'....]t.*.%..5..*.0..5..+f...5..+....5..+....6).3M...1..3M....+.3M......G....8..H6...<..J+~..B..J+..., .J+...C..J+......J+....P.J6E..C..J.J.....P.1..r..P.2..r..Rx....g.Rx...*o.Rx....W.R...2..R...s..S....xP.TZ......TZ...3..T}...z..V....-(.V.....L.V.....x.V.......W(E...H.W(E...?.W(E.....W(E.....[f3.....\.......\.....-.\.......\.......].....n.].....g.].....^.i2....H.i2......n,.......~3..v...<"..p=..t...Jl...>..,..

                                          C:\Program Files\CloudCompare\translations\CloudCompare_ja.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):52749
                                          Entropy (8bit):5.753260720005621
                                          Encrypted:false
                                          SSDEEP:768:rjI8s8JzufJWPFuhjZ6Jl3a/xLfwqL86jrkqJNYuuitrFrI4CHXu8j:rU8XUJW9uj4+46Hkq/YuuUBIhX5
                                          MD5:46F9ED5E1C64EBFAA86BAFB3CD751C5C
                                          SHA1:013DE3E06B4DFA168D717E12D4848889F72C12B7
                                          SHA-256:BDF2F0C8653BD5045CB932655CBD6C3068FE8355CF19394F78F3B28FE3C252AF
                                          SHA-512:6A6A501C8E870D35007A0737A1733A3E85FF6208904624EF65F713F53D87AEC15673C4812FCF41D8435E398536667F8C31FA1E6A7E8F299DDC800499F4AC9829
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......jaB.......+..3....=..6....A..(....A..6....A.......B..(....B..?....B.......C..@h...C...W...D..W....L..p....M..tV...N..yX...P..|....S...5...V...0...Z...X......f.......f.......f.......f.......f.......g.......gC......gh...;...A...;...[...;...n...;../....;.......;.......[..'....v...W..I@..f:..IA..fb..J...Wk..M...i?..T...y...w....................u...... ....`..T....`...F......(.......\<..............mM...................0..m...(.......7...tx..<...)<..<...wa..<.......<....o..VE...u..VE......VE..1(..VE...3..VE......f...{................m.......R...U..~p...0...............................]...................b......;..&.......&.......&.......&....(..&..../z.&.....?.&.......&.....&.'p....3.'....[q.*.%..2J.*.0..2..+f...2..+....3..+....3/.+.%..3Y.3M......3M......3M......;Q...[..?^...Kg.G....6..H6...;K.J+~..B..J+...)..J+...B*.J+......J+....p.J6E..B..J6... ..J6......J6....@.J.J...,.P.1..p..P.2..p1.Rx....,.Rx... H.Rx......R.../S.R...q..S....v..TZ......TZ.../..T}...yz.V....+..V..

                                          C:\Program Files\CloudCompare\translations\CloudCompare_ko.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):553296
                                          Entropy (8bit):5.6770423337867655
                                          Encrypted:false
                                          SSDEEP:6144:bcNJ7OG267kmchn3dVBlNnEU+CudooAH2Vng2/F5tmQh0:azwmch3dVBlGU+2cgd
                                          MD5:31D12C0A17D3790A624421740678C83E
                                          SHA1:65B4B5747BAC1D55AD46AD9CD68980A41C13D726
                                          SHA-256:E5941229506994E3FF58B0C53D91E7091AA3FB0FC6FF80B505F92D41DCD95DB9
                                          SHA-512:DA71848A3E6749DF8B2DC529A27C0CE408C876EC94DAE78E4F50A13AB13A82AEEEB341CAED6CFFB3EEA06BB56D1FA4AE27EBE70D7A99A30BEB4180277FBBA944
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ko_KRB..}....%..1b...%...g...+...)...-...K...-...Y...-...O...-.......0.......1.......1..!....=...B...A.......A...d...A..?....B.......B..1....B..?....C..3....C.......D..Ys...E..c....I..$....J..%....K..%....L.......M.......N.......P.......S.......T.......V...(...X.......Z.......k...>...x..\u......s!......s.......s.......s.......t.......t*......tO......tt...;...?...;..B....;.......;.......;.......;.......O.......X...l...Y.......Z.......[.......v...........r......=...............=.......................:......>*...................................~..[,.......~..&.......1...J...1.......1.......1....<..1....L..1...Q...7....a..G.......G......G...g...H,......H.......I@..sF..IA..sn..Ih..3...Ih...A..I.......J...Z...K....v..L?......L.... ..M...~...M...t...MR...I..M...g-..PP......PP......S.......S.......S.......S...V...S.......S...Y...Ta...!..Tb...S..T.......T.......V...u...V...z6..V.......V.......W#......X...v...X...ze..X...jf..Y......a.......g...p...h,......h,......j......

                                          C:\Program Files\CloudCompare\translations\CloudCompare_kr.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):342848
                                          Entropy (8bit):5.71396246768156
                                          Encrypted:false
                                          SSDEEP:3072:/NQaUZP9PtWDdQk0kaRkBOQNydtLIEaVl+TdVv0NMzTySZ0SEWWCuTh3Qz5OgwQr:FUZP9iCkBV95vK6uPl3LhdPag
                                          MD5:041A18E4EAA08BE4F565E3B7ED1C7CEA
                                          SHA1:90FD52A9943BB51CEAAD511EA0F31D1C9FED723E
                                          SHA-256:70ADDFD279E4290A21A87BC0B968569F1946ECEB0ECC9F1D8EF7212197D7D735
                                          SHA-512:EEB682F8568DEDB2592E6B74762BEE96BA00E77B475F9FA904FAFC42166B0C37AEA2875E7D849D12E4DF74B3BF58C02E3AA1F50D18D3F7310B21304016030EFB
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ko_KRB..Z....+..4....0.......1.......1...6...=..7....A.......A..7=...A.......B.......B..@....B.......C..B....C..Rh...D..],...E..b....L..y....M..}....N...,...P.......S.......T...h...V.......X.......Z...8...x..........m.......m.......m.......m.......m.......n#......nH......nm...;...?...;..8....;......;...*...;..3....;..S....O...o...[......[......v..........O?.........&...6W..1...A;..1...y...1......1....M..1......7....+..G...;...H,......I@..m?..IA..mg..Ih..A...Ih......I...=u..J...]~..K....-..L?...U..L....b..M...p...M.......MR......M......PP...h..PP.....S...AV..S.......S...CI..S...p...S...F6..S...r$..T.......V.......V....D..V.......V.......W#......X.......X....s..X......a.......h,..QV..h,...2..j...MK..k....X..k...Mb..s.......s....r..s...Q...s......s.......s.......s...Q...s......v....<..xt..O...x.......{......f...[...f...<...j...qB..ms......w...ji...............s..........[...)...............;0..............q........A......................w.................

                                          C:\Program Files\CloudCompare\translations\CloudCompare_pt.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):62408
                                          Entropy (8bit):4.592973557077949
                                          Encrypted:false
                                          SSDEEP:768:kHGKVIbWVZ/utdRC/BIu0f4gfaGUATr8x+dVtDbP:kHGKyEeuPgfaGxlP
                                          MD5:33B55A906BE90674F9588BA40AF78D87
                                          SHA1:31515CC7AA4DAFF5F1B406AB269CF46AC7AECF55
                                          SHA-256:6A6DACCB8D5C1D0E11725AF101FE8B68D21793B217E54B44E65E986658B19D5D
                                          SHA-512:BAA2ACF8ED6D657BAF48DD7B6DD0481EEA87D6D2BE8C685FF6C0CAF56FB565054DA1080A3F154F1087977A2FDCD3E5EB40CFCA862CD518C4D8B676D20832F541
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......pt_BRB.......+..7....D..g@...M...G...P.......Z...W......y.......zB......zg......z.......z.......z.......z.......{ ...;...Z...;...j..H,...9..I@..y...IA..z...J...g...M...}...T.......w...#.......................*.......+W...`..di...`.........,.......m;...........................0......(.......7....g..<....g..<....>..VE... ..VE..2I..VE..4...VE.....VE.....f....*.......X......#@...........U.......0..........)........&...................]..........*........3......A..&.......&....#p.&....+%.&....-..&....3..&......&......&.......'p...#..'....l..*.%..5..*.0..6S.+f...6..+....6..+....6..3M...1..3M......3M....a.?^...W..G....9..H6...@..J+~..I(.J+...IZ.J+......J6E..I..J.J.....O^......P.1.....P.2.....Rx......Rx...+..Rx......R...2..R......S.......TZ.... .TZ...3=.T}....H.V....-..V.......V.......W(E...V.W(E.....W(E.....[f3.....\.......\.....u.\.......\.....T.].... ..]......].......i2......i2......n,....2..~3......<"......t...S....>.......>...z.........[e...x...%..@...1......

                                          C:\Program Files\CloudCompare\translations\CloudCompare_ru.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):496971
                                          Entropy (8bit):5.350633764762437
                                          Encrypted:false
                                          SSDEEP:3072:7fJqbWgMfKhqZnTFWTQk0kaXXEQAv6xMdFLIEasRP2JdVv0NMDTKSL0SEWWC2O48:74WgMf9TlXKLhzkn8TQrR
                                          MD5:E8EC7F482E36489E303D79B6060CB412
                                          SHA1:494C63A091D8063F351514C4D47CC0539A63958F
                                          SHA-256:B360CBE71F9C6D54E96F42A5F50F08D9F3540211952F6712CDB7FE8BFA08E6C4
                                          SHA-512:88EBAC5083BF8D2273898937FAC19732248118D20147D3A113115368C0E18333EB4E3F2002EE4DEE972B956D51ED2A3E1C84F2051090CD028525DC7273299578
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ru_RUB..g@...+.......0..(....1..(....1...R...=.......A..#....A...&...A..%....B..#....B...X...B..%....C...U...C..|E...D.......E.......L..M....M..S....N..c....P..t....S.......T.......V.......X...n...Z.......x..H.......,5......,.......,.......,.......-.......->......-c......-....;...=...;..I....;..OR...;..j4...;..Q....;..~`...O......[...@...v..................U...........&...{...1...T...1.......1...(...1...G...1...v...1...;...7...)...G.......H,...H..I@..,Z..IA..,...Ih...)..Ih..l;..I.......J.......K...,...L?......L.......M...;...M.......MR..\>..M....i..PP...M..PP..)...S.......S.......S.......S...&...S.......S...*~..T...d...V.......V....a..V...+^..V...{...W#......X....&..X.......X...[`..a....q..h,..{...h,......j....z..k...W...k...u...s....M..s...2-..s...{>..s.... ..s.......s...2]..s...{...s....P..v...V...xt......x...V...zr..B...{......f.......f....c..j....i..ms......w...........(......."c..........[...........,........9......$@..............................Y..........

                                          C:\Program Files\CloudCompare\translations\CloudCompare_zh.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):248501
                                          Entropy (8bit):5.750926703704071
                                          Encrypted:false
                                          SSDEEP:3072:I0yQJ2tW3e99dqqmKndVtilxIWw+FAcxRt92T6lJEQ45jPrI3:SY5emkkiW46R3k/FI3
                                          MD5:B8D2C4AD739C1E1170E59DB953A15D4A
                                          SHA1:CA6E7D99D3EF4EFA94184C2D93231C0126670D30
                                          SHA-256:F9ED475A57543C5BB790D0172652C731D5AE58CC54C33D6DF62512C771679F50
                                          SHA-512:5A6F9DF34538287A7C48A3DF3824478E8D974E34C7EB0E4732F0CF96428BD27E43E35B25E85E409157BC198BB297D176CA264F1C6FE36535DABD42471A143E3B
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......zhB..Z ...+..n....1...9...=..q....A.......A..r....B.......B..{o...C..|....C.......D...A...E...,...L.......M.......N...i...P.......S.......T.......V......X......Z.......x...........z.......................9.......^...........................;...)...;..,....;..>....;..N....;.......;...0...O..K....[.......[..kf...v...........4......A...&......1...4(..1...y...1....{..G....~..H,......I@......IA......Ih..|...Ih..#\..I.......J.......K.......L?..9 ..L...`...M.......M.......MR..F_..M.......PP......S....c..S...d...S.......S.......T.......V.......V.......W#..O...X.......X.......X.......a.......h,......h,..\...j......k....]..k.......s....*..s...]...s.......s...]E..v...B=..xt......x...B...{....5..f.......j.......ms......w...l..............h........P..[...@........................................f.......v..............?.......F.......................N...E.......E..#....E.......E...F...............<...`.......`..M.......$V...E..w:...............N.....j...................,

                                          C:\Program Files\CloudCompare\translations\is-14MA9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):129911
                                          Entropy (8bit):5.802855391832282
                                          Encrypted:false
                                          SSDEEP:1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
                                          MD5:608B80932119D86503CDDCB1CA7F98BA
                                          SHA1:7F440399ABA23120F40F6F4FCAE966D621A1CC67
                                          SHA-256:CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
                                          SHA-512:424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

                                          C:\Program Files\CloudCompare\translations\is-1DAVQ.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):33
                                          Entropy (8bit):4.513794876803093
                                          Encrypted:false
                                          SSDEEP:3:j2wZC4C/rOw+8k:Cwef+8k
                                          MD5:AAEA7BA475C961F941D0A23488457BEB
                                          SHA1:2BF0054002C8F7D85DD080DF332553BF9B3A8E26
                                          SHA-256:494AC9A2B2CB2FDECED353F4A9F898ED8DCF616E9BC667438C62681E3F7F79CF
                                          SHA-512:5B408C36C8F93F71E73E3D3B1C0C2AD699E92A6088604B8ADF8E588E8A75FC3FC92828199B7F00F5B05B224AE819220D07E56D610A76A267594870BEC77172BE
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......en_US.......

                                          C:\Program Files\CloudCompare\translations\is-1VHV2.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):127849
                                          Entropy (8bit):5.83455389078597
                                          Encrypted:false
                                          SSDEEP:3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
                                          MD5:9C6A3721D01ECAF3F952CE96F46CE046
                                          SHA1:4A944E9E31DF778F7012D8E4A66497583BFD2118
                                          SHA-256:085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
                                          SHA-512:6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......zh_TWB..2x...*.......+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..*W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

                                          C:\Program Files\CloudCompare\translations\is-294HR.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):16
                                          Entropy (8bit):4.0
                                          Encrypted:false
                                          SSDEEP:3:j2wZC4n:CwZ
                                          MD5:BCEBCF42735C6849BDECBB77451021DD
                                          SHA1:4884FD9AF6890647B7AF1AEFA57F38CCA49AD899
                                          SHA-256:9959B510B15D18937848AD13007E30459D2E993C67E564BADBFC18F935695C85
                                          SHA-512:F951B511FFB1A6B94B1BCAE9DF26B41B2FF829560583D7C83E70279D1B5304BDE299B3679D863CAD6BB79D0BEDA524FC195B7F054ECF11D2090037526B451B78
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`...

                                          C:\Program Files\CloudCompare\translations\is-3F5TJ.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):53795
                                          Entropy (8bit):4.600892640452502
                                          Encrypted:false
                                          SSDEEP:768:GNexnUsfsWVZqugdji6gBG0dzWnhpDnlPhBvwtL/P6GMG:rKcd+pethR
                                          MD5:6A7D4CB69AC026B9A0DB6E51D3D78117
                                          SHA1:CBC9763F6E3B543127FB36F36384DB2A593D63BF
                                          SHA-256:961542E2B04EE03A56480040D5EF41AADC19D53BB5491B9867346D5FC9A3CA4F
                                          SHA-512:DD8F9969299A594C8F836F1760A65171EF466E66F3B881CF6FF357149CE40C3525FBEE9C6162B038D939877DD2EE5CE7A8D22953F11E023558E1FCB8940B274F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......fr_FRB... ...+..6e...D..X....M..u....P...|...Z..........g|......g.......h.......h9......h^......h.......h.......h....;...b...;..."..H,...#..I@..g...IA..g...J...Y!..M...k...T...{_..w...".......................).......*6...`..V....`..........+.......].......""......oR...................0..p...(....H..7...u...<...,`..<...x...<.......<.......VE......VE..2"..VE..4v..VE...J..VE...?..f...}...............!............U.......0..........(........L...................]..........(...............<..&.......&...."W.&....*..&....+..&....2..&.......&.......&.......'p..."..'....]t.*.%..5..*.0..5..+f...5..+....5..+....6).3M...1..3M....+.3M......G....8..H6...<..J+~..B..J+..., .J+...C..J+......J+....P.J6E..C..J.J.....P.1..r..P.2..r..Rx....g.Rx...*o.Rx....W.R...2..R...s..S....xP.TZ......TZ...3..T}...z..V....-(.V.....L.V.....x.V.......W(E...H.W(E...?.W(E.....W(E.....[f3.....\.......\.....-.\.......\.......].....n.].....g.].....^.i2....H.i2......n,.......~3..v...<"..p=..t...Jl...>..,..

                                          C:\Program Files\CloudCompare\translations\is-3HA9J.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):156799
                                          Entropy (8bit):5.859529082176036
                                          Encrypted:false
                                          SSDEEP:1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
                                          MD5:082E361CBAC2E3A0849F87B76EF6E121
                                          SHA1:F10E882762DCD2E60041BDD6CC57598FC3DF4343
                                          SHA-256:0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
                                          SHA-512:F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......koB..7....*.......+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^.............*...5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

                                          C:\Program Files\CloudCompare\translations\is-5AB9D.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):553296
                                          Entropy (8bit):5.6770423337867655
                                          Encrypted:false
                                          SSDEEP:6144:bcNJ7OG267kmchn3dVBlNnEU+CudooAH2Vng2/F5tmQh0:azwmch3dVBlGU+2cgd
                                          MD5:31D12C0A17D3790A624421740678C83E
                                          SHA1:65B4B5747BAC1D55AD46AD9CD68980A41C13D726
                                          SHA-256:E5941229506994E3FF58B0C53D91E7091AA3FB0FC6FF80B505F92D41DCD95DB9
                                          SHA-512:DA71848A3E6749DF8B2DC529A27C0CE408C876EC94DAE78E4F50A13AB13A82AEEEB341CAED6CFFB3EEA06BB56D1FA4AE27EBE70D7A99A30BEB4180277FBBA944
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ko_KRB..}....%..1b...%...g...+...)...-...K...-...Y...-...O...-.......0.......1.......1..!....=...B...A.......A...d...A..?....B.......B..1....B..?....C..3....C.......D..Ys...E..c....I..$....J..%....K..%....L.......M.......N.......P.......S.......T.......V...(...X.......Z.......k...>...x..\u......s!......s.......s.......s.......t.......t*......tO......tt...;...?...;..B....;.......;.......;.......;.......O.......X...l...Y.......Z.......[.......v...........r......=...............=.......................:......>*...................................~..[,.......~..&.......1...J...1.......1.......1....<..1....L..1...Q...7....a..G.......G......G...g...H,......H.......I@..sF..IA..sn..Ih..3...Ih...A..I.......J...Z...K....v..L?......L.... ..M...~...M...t...MR...I..M...g-..PP......PP......S.......S.......S.......S...V...S.......S...Y...Ta...!..Tb...S..T.......T.......V...u...V...z6..V.......V.......W#......X...v...X...ze..X...jf..Y......a.......g...p...h,......h,......j......

                                          C:\Program Files\CloudCompare\translations\is-5O3HT.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):194487
                                          Entropy (8bit):4.877239354585035
                                          Encrypted:false
                                          SSDEEP:3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
                                          MD5:6CBC5D8E1EABEC96C281065ECC51E35E
                                          SHA1:4E1E6BA3772428227CB033747006B4887E5D9AD1
                                          SHA-256:6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
                                          SHA-512:CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

                                          C:\Program Files\CloudCompare\translations\is-8K72G.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):162982
                                          Entropy (8bit):4.841899887077422
                                          Encrypted:false
                                          SSDEEP:1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
                                          MD5:F9475A909A0BAF4B6B7A1937D58293C3
                                          SHA1:76B97225A11DD1F77CAC6EF144812F91BD8734BD
                                          SHA-256:CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
                                          SHA-512:8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......pl_PLB..0....*.."....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]..*....s.......t...r.......o.......+...;..*....;..+....;..."...;... ...M..*....O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

                                          C:\Program Files\CloudCompare\translations\is-90PEC.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):138690
                                          Entropy (8bit):5.4870451639261075
                                          Encrypted:false
                                          SSDEEP:3072:XSue8FDn3iJsqBejd/zNDSLzdetY2ZISfCPS:XSuem7w7IjdIzUtYAISfCPS
                                          MD5:26B777C6C94C5AA6E61F949AA889BF74
                                          SHA1:F78DA73388C86D4D5E90D19BB3BD5F895C027F27
                                          SHA-256:4281C421984772665A9D72AB32276CFE1E2A3B0EBE21D4B63C5A4C3BA1F49365
                                          SHA-512:8E02CE06F6DE77729AEFA24410CBD4BFBA2D935EF10DCF071DA47BB70D9C5E0969F528BDB3DB5CAB00E3142D7C573FCF66EA5EB4A2BC557229AD082C0EB1DBCC
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

                                          C:\Program Files\CloudCompare\translations\is-9BVL4.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):166167
                                          Entropy (8bit):4.685212271435657
                                          Encrypted:false
                                          SSDEEP:1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
                                          MD5:1F41FF5D3A781908A481C07B35998729
                                          SHA1:ECF3B3156FFE14569ECDF805CF3BE12F29681261
                                          SHA-256:EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
                                          SHA-512:A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

                                          C:\Program Files\CloudCompare\translations\is-AO8GC.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):381344
                                          Entropy (8bit):4.669829345699403
                                          Encrypted:false
                                          SSDEEP:3072:OkBYIWUj1W4pL/HQk0kaf7HAQ+hcdaLIsabkjZFItfdKv0NMRTFSZ0SEWWC1vMhL:OkBFVj7Y7H6vdaOrzAnLKcfeoT3i
                                          MD5:7E515CB3FEB67498865D63BDFBFD6F8D
                                          SHA1:121EB386EA79599FD893A34DC43990CEADDAB093
                                          SHA-256:C7DCDCEFB2C9F5973F2A29B0DE986918B8226B09C807D7E6A2199DB077BCFBA3
                                          SHA-512:6D590D4D869C097B939404E07EF770AB9D7520DE819C12CD92E82EA79FDD452E2C4EBDD93E8C4D3573C81E941E101D9D1697579F84CF0017168097AD12DEDDEC
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......es_ARB..J....+.......=...,...A.. ....A...N...A..OS...B.. ....B.......B..O|...C.......C.......D...g...L...@...M...!...N.......P.......S.......V..8....Z..;....x..rs..............+.......P.......u.................................;...O...;..I....;..A....;..W....;......;..._...[.......v..................E...&...y!..1...T...1.......1...%...1...<...1...d...1...e...G.......H,..."..I@......IA......Ih......Ih......I.......J......K...*1..L?..Y...L...m^..M.......MR..J...M....{..PP...}..PP..&...S.......S...v...S.......S.......S.......S.......T....%..V.......V....s..V...(...V...h...X.......X.......X.......a...x...h,......h,..h...j.......k.......k.......s.......s.......s.......s...i...s.......s.......s.......s...i8..v...F...xt......f....?..f.......j...-M..ms......w....D..............}...........[...........V........<......M.......-........_...............u......K........................J...E.......E...e...E.......E...U...............#...........`...Q...`...e...........E.....

                                          C:\Program Files\CloudCompare\translations\is-BHD9M.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):496971
                                          Entropy (8bit):5.350633764762437
                                          Encrypted:false
                                          SSDEEP:3072:7fJqbWgMfKhqZnTFWTQk0kaXXEQAv6xMdFLIEasRP2JdVv0NMDTKSL0SEWWC2O48:74WgMf9TlXKLhzkn8TQrR
                                          MD5:E8EC7F482E36489E303D79B6060CB412
                                          SHA1:494C63A091D8063F351514C4D47CC0539A63958F
                                          SHA-256:B360CBE71F9C6D54E96F42A5F50F08D9F3540211952F6712CDB7FE8BFA08E6C4
                                          SHA-512:88EBAC5083BF8D2273898937FAC19732248118D20147D3A113115368C0E18333EB4E3F2002EE4DEE972B956D51ED2A3E1C84F2051090CD028525DC7273299578
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ru_RUB..g@...+.......0..(....1..(....1...R...=.......A..#....A...&...A..%....B..#....B...X...B..%....C...U...C..|E...D.......E.......L..M....M..S....N..c....P..t....S.......T.......V.......X...n...Z.......x..H.......,5......,.......,.......,.......-.......->......-c......-....;...=...;..I....;..OR...;..j4...;..Q....;..~`...O......[...@...v..................U...........&...{...1...T...1.......1...(...1...G...1...v...1...;...7...)...G.......H,...H..I@..,Z..IA..,...Ih...)..Ih..l;..I.......J.......K...,...L?......L.......M...;...M.......MR..\>..M....i..PP...M..PP..)...S.......S.......S.......S...&...S.......S...*~..T...d...V.......V....a..V...+^..V...{...W#......X....&..X.......X...[`..a....q..h,..{...h,......j....z..k...W...k...u...s....M..s...2-..s...{>..s.... ..s.......s...2]..s...{...s....P..v...V...xt......x...V...zr..B...{......f.......f....c..j....i..ms......w...........(......."c..........[...........,........9......$@..............................Y..........

                                          C:\Program Files\CloudCompare\translations\is-C7NFU.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):62408
                                          Entropy (8bit):4.592973557077949
                                          Encrypted:false
                                          SSDEEP:768:kHGKVIbWVZ/utdRC/BIu0f4gfaGUATr8x+dVtDbP:kHGKyEeuPgfaGxlP
                                          MD5:33B55A906BE90674F9588BA40AF78D87
                                          SHA1:31515CC7AA4DAFF5F1B406AB269CF46AC7AECF55
                                          SHA-256:6A6DACCB8D5C1D0E11725AF101FE8B68D21793B217E54B44E65E986658B19D5D
                                          SHA-512:BAA2ACF8ED6D657BAF48DD7B6DD0481EEA87D6D2BE8C685FF6C0CAF56FB565054DA1080A3F154F1087977A2FDCD3E5EB40CFCA862CD518C4D8B676D20832F541
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......pt_BRB.......+..7....D..g@...M...G...P.......Z...W......y.......zB......zg......z.......z.......z.......z.......{ ...;...Z...;...j..H,...9..I@..y...IA..z...J...g...M...}...T.......w...#.......................*.......+W...`..di...`.........,.......m;...........................0......(.......7....g..<....g..<....>..VE... ..VE..2I..VE..4...VE.....VE.....f....*.......X......#@...........U.......0..........)........&...................]..........*........3......A..&.......&....#p.&....+%.&....-..&....3..&......&......&.......'p...#..'....l..*.%..5..*.0..6S.+f...6..+....6..+....6..3M...1..3M......3M....a.?^...W..G....9..H6...@..J+~..I(.J+...IZ.J+......J6E..I..J.J.....O^......P.1.....P.2.....Rx......Rx...+..Rx......R...2..R......S.......TZ.... .TZ...3=.T}....H.V....-..V.......V.......W(E...V.W(E.....W(E.....[f3.....\.......\.....u.\.......\.....T.].... ..]......].......i2......i2......n,....2..~3......<"......t...S....>.......>...z.........[e...x...%..@...1......

                                          C:\Program Files\CloudCompare\translations\is-DBN7V.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):220467
                                          Entropy (8bit):4.626295310482312
                                          Encrypted:false
                                          SSDEEP:3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
                                          MD5:40760A3456C9C8ABE6EA90336AF5DA01
                                          SHA1:B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
                                          SHA-256:553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
                                          SHA-512:068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

                                          C:\Program Files\CloudCompare\translations\is-DIV8J.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):174701
                                          Entropy (8bit):4.87192387061682
                                          Encrypted:false
                                          SSDEEP:3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
                                          MD5:C57D0DE9D8458A5BEB2114E47B0FDE47
                                          SHA1:3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
                                          SHA-256:03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
                                          SHA-512:F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......cs_CZB..3p...*..F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9...............*...;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

                                          C:\Program Files\CloudCompare\translations\is-FOCV9.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):165170
                                          Entropy (8bit):4.679910767547088
                                          Encrypted:false
                                          SSDEEP:1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
                                          MD5:C7C58A6D683797BFDD3EF676A37E2A40
                                          SHA1:809E580CDBF2FFDA10C77F8BE9BAC081978C102B
                                          SHA-256:4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
                                          SHA-512:C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......es_ESB../....*..*,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

                                          C:\Program Files\CloudCompare\translations\is-G01DC.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):521134
                                          Entropy (8bit):4.716352469714204
                                          Encrypted:false
                                          SSDEEP:3072:/QRPXd59C54WJPXu0tQk0kaZRFtfms1B/AQ6fv7WSNPlitNS/SFAnINaXbtsh9ed:4PtPCsfhuj+g7YcVzsWAZCQepNTn
                                          MD5:5FF09C5E4C5737EC86CBB8B803D4EE1D
                                          SHA1:628157DE3381DFD45051A5D0669E41E86282912F
                                          SHA-256:71F1E7E4CD5AD771CF9DD031C4AD0EDB52B86355AFE0CAA362F20396FE9C7773
                                          SHA-512:78521DEF6AC6EE85B6736D4729C94D7C4066622F80345F6042AB977AB72842582F9157F88A9E3C47C4DFED69DAFA49273525300CD74960C38B1DB199F7EE8D88
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......deB..g....+.......0..:"...1..:@...1..0u...=.......A..5....A.......A..S....B..5+...B...M...B..S....C...V...C...&...D.......E.......L..X....M.._W...N..p....P...:...S.../...T...}...V.......X......Z...>...x..x.......4.......5U......5z......5.......5.......5.......6.......63...;...A...;..M....;..P....;..k....;...\...;......O..M....[..'F...v...Q..............U.......D...&....n..1...ZP..1.......1...9...1...H...1...yF..1...k...7...:...G.......H,...:..I@..5...IA..5-..Ih...(..Ih...w..I.......J...."..K...>...L?../...L...n...M...EW..M.......MR..]_..M....C..PP.../..PP..;...S.......S...x...S.......S...ac..S.......S...e~..T...q...V.......V....3..V...<...V...~=..W#..S...X.......X....b..X.......a... :..h,......h,..h...j....d..k.......k......s....!..s...i9..s......s...ig..v...V...xt......x...Wr..zr..G!..{....2..f.......f.......j......ms......w...........x................r..[..........Z......../......R........2..............................;.......^I......z....................E

                                          C:\Program Files\CloudCompare\translations\is-GM09G.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):203767
                                          Entropy (8bit):5.362347888784502
                                          Encrypted:false
                                          SSDEEP:1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8/Zuf76CW+WeXFx:aN3pdV5fZbpItXsZtRY+WSq
                                          MD5:7C1D56064AF52DC1C834FF709FC53609
                                          SHA1:C415A8B1B6B9D40DD68173A0772F32F639CD743A
                                          SHA-256:B2C601C7DECB9F8D2D6DC3B1929F2EC20656FF21783BF283DF23B02DD022DC5B
                                          SHA-512:FCBD753BECF6D2FC4B0074440AFBE06ED27B6FDF15D14ABD66DF28EF44272E98DC6DED66BAAE09EC8666BC78E454E20D38F945F4B0F6D0B6899CFD663E1BA1F9
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ru_RUB..7....*...L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H....*..IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

                                          C:\Program Files\CloudCompare\translations\is-GSJV3.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):210126
                                          Entropy (8bit):4.665314011804837
                                          Encrypted:false
                                          SSDEEP:3072:GQKRldlzfzvZfeW+6kXEVjSVPzC3ceKdP2:aff7UW+WjwP2
                                          MD5:1D351670EA821DB3BBB5AEE0AD186F10
                                          SHA1:AC0548EB87E7E4A12A604523713E5B08DF88FB50
                                          SHA-256:235F502810D5750A47421D3E57620DCAE5CFCFD83BC97766AD8B99B75238A544
                                          SHA-512:7A769F0C0858C25EBBBDD25C7308523ED298E35E2B5533981967773CF7D08899D81D05D34D67567BB48FB0DE21B3CE9C9D83866EC701DC841F8B430EADB43E29
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......caB..7....*.......+.......@..:/...A..:S...B..:....C..:....D..;....E..;....F..<9...G..<]...H..<....I..<....P..>....Q..>....R..?....S..?1...T..?U...U..?y...V..?....W..?....X..@....Y..@?...]../....s..1....t..........2R......#O...;.......;../....;..W....;..e....M../3...O.......O..9.......Jy...}../]......8....=..9....m../....t..98.......2..(5..l!..+;.._...+;......+O..U...1.......D@..:w..E@..>...H4...)..HY..~...H...!...IC......J....6..J....0..J.......LD.. ...L...!E..PS..)...QR.."...R.......T...9]..U...9...U...z...X...>s..Zr..E...[`...D..\...L#..]x..74.._......._...M...yg..fi..1...a....E..c....7...k......U.......p........A...............*...$.......[.......,.......y.......y...................=...........9...:...E...R...... ....z..":.......d......!....%..tQ...D.."......."......2......vD.....y...........5..#'...0...;...0..W....0..'....0......5..(g...5...a......)R.......... D..0w.. D..}...+...1...<?..5W..<U......<U..5...<...6...H5..0...H5..~...L...9...VE..$...V...S5..f.

                                          C:\Program Files\CloudCompare\translations\is-HKH8K.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):189580
                                          Entropy (8bit):4.629471775298668
                                          Encrypted:false
                                          SSDEEP:1536:SiaI3C87jhakhR0VGkw7ys7CskQH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yiqxTXhvQoejJd8FUjVgk
                                          MD5:D512456777500DC13EF834ED528D3704
                                          SHA1:90A32284052C3FE12C18AFEC9F7FF56735E2E34B
                                          SHA-256:C515DD2A2E00765B5F651AAE124A55D617B24777138019ABC5A7001DA7417561
                                          SHA-512:BABEF929AC600C117967B42389623F352D219A466C484AE68EF3C9DA9FF61555875FFB0DAFC3E5EADA6FB43D37F7AFE74A6B6C73458A93FFB42819E1068C9A3B
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8|..f...Z...f...=..

                                          C:\Program Files\CloudCompare\translations\is-JFB27.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):158241
                                          Entropy (8bit):5.401819605980093
                                          Encrypted:false
                                          SSDEEP:1536:4FoQa3dMUDPTzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8upfk:rzDPTzaw5pCvJ8hVPdlvj3p8
                                          MD5:ACBE9498B42AE04A8A05DDB08F88DAF0
                                          SHA1:F847CC1A45A19B5527148BFBC93A3942819F22CD
                                          SHA-256:4835B26FC4FCCBF4444E4AF1178BA89ADA88D340BA74D61EAE344D81B8A26461
                                          SHA-512:D488BA62873DF44021B2DF7683B80F6207E998AC14F5DBA85E860949A8A01B4D826CFD574D83C8B1107294197D61F9098210D93729B026F03CEE86CC6B576C45
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......uk_UAB../....*...$...+...K...@.......A.......B...&...C...J...D.......E...g...F.......G.......H.......I...-...P.......Q...@...R.......S.......T.......U.......V...Q...W...u...X.......Y.......]..*y...s...b...t...~...............M...;..*Q...;..+U...;.......;...W...;..!....M..*....O.......O...`...........}..*........$...=.......m..*....t..........3...(5..&...+;..:...+;..k...+O... ..1...4...D@......E@...d..H4......HY..W...H.......IC...5..J....\..J.......J.......LD......L....Y..PS......QR.. ...R...\...T.......U.......X....y..Zr......[`..~...\.......]x......_......._.......yg...B..1...;....E..=w.......L......I............................$..X....[.......,.......y.......y...........,...................9..Y....E...%.......#...z.. ........P...........%..LB...D.......................-M...../......46...5...%...0...O...0...6...0.......0...J...0.......5.......5..................^... D..+... D..V...+.......<U......<U...e..<.......H5..+...H5..V...L....2..VE..!...VE..0...V......

                                          C:\Program Files\CloudCompare\translations\is-K4A07.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):160017
                                          Entropy (8bit):5.356034639583569
                                          Encrypted:false
                                          SSDEEP:1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzLKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf16btw3Bb
                                          MD5:257BCE0D43476FF6548F7D9D2C3A5809
                                          SHA1:3D7B581860C381FC5644F739850F4C126F27838D
                                          SHA-256:C14EBFAA0FECB341B43ED2179DF9372D27AD20A15BAFB9F5403D57838AE1D88A
                                          SHA-512:051C71E4D105B082D169C5B57D2B6CFC093D174A649A0B4D42FD226B808C9FEDB51A8CED6D5CB5DB7F4FCCE29419EC068D473B7FF7B8E15B9F8A82D32B73BE00
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

                                          C:\Program Files\CloudCompare\translations\is-K6TQI.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):248501
                                          Entropy (8bit):5.750926703704071
                                          Encrypted:false
                                          SSDEEP:3072:I0yQJ2tW3e99dqqmKndVtilxIWw+FAcxRt92T6lJEQ45jPrI3:SY5emkkiW46R3k/FI3
                                          MD5:B8D2C4AD739C1E1170E59DB953A15D4A
                                          SHA1:CA6E7D99D3EF4EFA94184C2D93231C0126670D30
                                          SHA-256:F9ED475A57543C5BB790D0172652C731D5AE58CC54C33D6DF62512C771679F50
                                          SHA-512:5A6F9DF34538287A7C48A3DF3824478E8D974E34C7EB0E4732F0CF96428BD27E43E35B25E85E409157BC198BB297D176CA264F1C6FE36535DABD42471A143E3B
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......zhB..Z ...+..n....1...9...=..q....A.......A..r....B.......B..{o...C..|....C.......D...A...E...,...L.......M.......N...i...P.......S.......T.......V......X......Z.......x...........z.......................9.......^...........................;...)...;..,....;..>....;..N....;.......;...0...O..K....[.......[..kf...v...........4......A...&......1...4(..1...y...1....{..G....~..H,......I@......IA......Ih..|...Ih..#\..I.......J.......K.......L?..9 ..L...`...M.......M.......MR..F_..M.......PP......S....c..S...d...S.......S.......T.......V.......V.......W#..O...X.......X.......X.......a.......h,......h,..\...j......k....]..k.......s....*..s...]...s.......s...]E..v...B=..xt......x...B...{....5..f.......j.......ms......w...l..............h........P..[...@........................................f.......v..............?.......F.......................N...E.......E..#....E.......E...F...............<...`.......`..M.......$V...E..w:...............N.....j...................,

                                          C:\Program Files\CloudCompare\translations\is-LER5S.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):179941
                                          Entropy (8bit):4.720938209922096
                                          Encrypted:false
                                          SSDEEP:3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
                                          MD5:8472CF0BF6C659177AD45AA9E3A3247C
                                          SHA1:7B5313CDA126BB7863001499FB66FB1B56C255FC
                                          SHA-256:E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
                                          SHA-512:DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......fiB..38...*..ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]..*....s...T...t.......................;..*....;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5...*...5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

                                          C:\Program Files\CloudCompare\translations\is-NFPBE.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):342848
                                          Entropy (8bit):5.71396246768156
                                          Encrypted:false
                                          SSDEEP:3072:/NQaUZP9PtWDdQk0kaRkBOQNydtLIEaVl+TdVv0NMzTySZ0SEWWCuTh3Qz5OgwQr:FUZP9iCkBV95vK6uPl3LhdPag
                                          MD5:041A18E4EAA08BE4F565E3B7ED1C7CEA
                                          SHA1:90FD52A9943BB51CEAAD511EA0F31D1C9FED723E
                                          SHA-256:70ADDFD279E4290A21A87BC0B968569F1946ECEB0ECC9F1D8EF7212197D7D735
                                          SHA-512:EEB682F8568DEDB2592E6B74762BEE96BA00E77B475F9FA904FAFC42166B0C37AEA2875E7D849D12E4DF74B3BF58C02E3AA1F50D18D3F7310B21304016030EFB
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ko_KRB..Z....+..4....0.......1.......1...6...=..7....A.......A..7=...A.......B.......B..@....B.......C..B....C..Rh...D..],...E..b....L..y....M..}....N...,...P.......S.......T...h...V.......X.......Z...8...x..........m.......m.......m.......m.......m.......n#......nH......nm...;...?...;..8....;......;...*...;..3....;..S....O...o...[......[......v..........O?.........&...6W..1...A;..1...y...1......1....M..1......7....+..G...;...H,......I@..m?..IA..mg..Ih..A...Ih......I...=u..J...]~..K....-..L?...U..L....b..M...p...M.......MR......M......PP...h..PP.....S...AV..S.......S...CI..S...p...S...F6..S...r$..T.......V.......V....D..V.......V.......W#......X.......X....s..X......a.......h,..QV..h,...2..j...MK..k....X..k...Mb..s.......s....r..s...Q...s......s.......s.......s...Q...s......v....<..xt..O...x.......{......f...[...f...<...j...qB..ms......w...ji...............s..........[...)...............;0..............q........A......................w.................

                                          C:\Program Files\CloudCompare\translations\is-P7642.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):161139
                                          Entropy (8bit):4.679177649012242
                                          Encrypted:false
                                          SSDEEP:1536:ZL5ef7fdO4BKOb0t55pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:ZdeDFO4BKOb0t55pnOrvCqg9mRK4IkM
                                          MD5:66C2DBE4E048D365AA3531409BB319E9
                                          SHA1:43376F186D324E261B0F6A2475FF2F0B5261B5E1
                                          SHA-256:EEDA9549376601652F8E2F35048E56548F4C15BC6CCAB48F5A3D5A249D631BEE
                                          SHA-512:4D4325752872BA0A3D4CA5F2ABA6FAC0D93EA7D36CAF2BF7EA2B32C9CD2B4832CC3A6B78AF7CAF33B28F7D6259CE1CE0F372089E16843FBE459B14F2A43B1904
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......it_ITB../....*.......+...i...@.......A.......B...L...C...p...D.......E.......F.......G.......H...3...I...W...P...P...Q...t...R.......S.......T.......U...+...V.......W.......X.......Y.......]..+....s.......t..................=...;..+[...;..,g...;.......;.......;..!!...M..+....O...D...O...............}..+........(...=.......m..,....t..........4...(5..'m..+;..<...+;..o5..+O......1...4...D@...%..E@......H4...)..HY..Z...H.......IC...+..J....R..J....j..J.......LD......L....E..PS...j..QR..!...R..._...T.......U.......X.......Zr......[`...0..\.......]x......_......._.......yg..."..1...=....E..?o..............Kf.......G...............(...$..[....[.......,...L...y...9...y...........Y.......Y...........9..\=...E..$T...........z.. k...................%..N....D..................,......_.....0......5....5.......0.......0.......0... ...0.......0..$....5...a...5...).......@......a... D..,... D..Y...+.......<U..._..<U......<....U..H5..-...H5..Z...L.......VE.."c..VE..1...V....7.

                                          C:\Program Files\CloudCompare\translations\is-P9EIR.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):165337
                                          Entropy (8bit):5.332219158085151
                                          Encrypted:false
                                          SSDEEP:1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
                                          MD5:660413AD666A6B31A1ACF8F216781D6E
                                          SHA1:654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
                                          SHA-256:E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
                                          SHA-512:C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......bg_BGB../....*..,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O...........*...}..,............=...Q...m..,....t...|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

                                          C:\Program Files\CloudCompare\translations\is-PT2MR.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):52749
                                          Entropy (8bit):5.753260720005621
                                          Encrypted:false
                                          SSDEEP:768:rjI8s8JzufJWPFuhjZ6Jl3a/xLfwqL86jrkqJNYuuitrFrI4CHXu8j:rU8XUJW9uj4+46Hkq/YuuUBIhX5
                                          MD5:46F9ED5E1C64EBFAA86BAFB3CD751C5C
                                          SHA1:013DE3E06B4DFA168D717E12D4848889F72C12B7
                                          SHA-256:BDF2F0C8653BD5045CB932655CBD6C3068FE8355CF19394F78F3B28FE3C252AF
                                          SHA-512:6A6A501C8E870D35007A0737A1733A3E85FF6208904624EF65F713F53D87AEC15673C4812FCF41D8435E398536667F8C31FA1E6A7E8F299DDC800499F4AC9829
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......jaB.......+..3....=..6....A..(....A..6....A.......B..(....B..?....B.......C..@h...C...W...D..W....L..p....M..tV...N..yX...P..|....S...5...V...0...Z...X......f.......f.......f.......f.......f.......g.......gC......gh...;...A...;...[...;...n...;../....;.......;.......[..'....v...W..I@..f:..IA..fb..J...Wk..M...i?..T...y...w....................u...... ....`..T....`...F......(.......\<..............mM...................0..m...(.......7...tx..<...)<..<...wa..<.......<....o..VE...u..VE......VE..1(..VE...3..VE......f...{................m.......R...U..~p...0...............................]...................b......;..&.......&.......&.......&....(..&..../z.&.....?.&.......&.....&.'p....3.'....[q.*.%..2J.*.0..2..+f...2..+....3..+....3/.+.%..3Y.3M......3M......3M......;Q...[..?^...Kg.G....6..H6...;K.J+~..B..J+...)..J+...B*.J+......J+....p.J6E..B..J6... ..J6......J6....@.J.J...,.P.1..p..P.2..p1.Rx....,.Rx... H.Rx......R.../S.R...q..S....v..TZ......TZ.../..T}...yz.V....+..V..

                                          C:\Program Files\CloudCompare\translations\is-PVM8M.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):125763
                                          Entropy (8bit):4.803076457235141
                                          Encrypted:false
                                          SSDEEP:3072:roXDuC1u/2lUBGjJirE5tsd/aev1GcfOdvhw:OucMGjH5t/m
                                          MD5:5BBA1E27FCABC34B403CDF11F0A63CEF
                                          SHA1:EA02695BDBB9C7F55A94F60B306703F0D67B30C3
                                          SHA-256:B70C6DE694E717FA05C46831B6A11927536AEAD937CCE6BA66665D5C496EED06
                                          SHA-512:E15DB4397E5388B56B9869080DB06CB3357E3D575C619CB1187F7372AEC5B7F19F14EEC6D2674F174094945AEDB5470AB1CCEC1347B96E8E6BB20279FD038F6C
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

                                          C:\Program Files\CloudCompare\translations\is-SHR09.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):160494
                                          Entropy (8bit):4.831791320613137
                                          Encrypted:false
                                          SSDEEP:3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
                                          MD5:E9D302A698B9272BDA41D6DE1D8313FB
                                          SHA1:BBF35C04177CF290B43F7D2533BE44A15D929D02
                                          SHA-256:C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
                                          SHA-512:12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......hu_HUB../....*.......+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T...*...U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\....*..]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V....*.

                                          C:\Program Files\CloudCompare\translations\is-SM57C.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):153608
                                          Entropy (8bit):4.843805801051326
                                          Encrypted:false
                                          SSDEEP:3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
                                          MD5:BD8BDC7BBDB7A80C56DCB61B1108961D
                                          SHA1:9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
                                          SHA-256:846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
                                          SHA-512:F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......lv_LVB.......*...B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x...*.._......._....{..yg......1...5v...E..7........(......B.......|.......|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

                                          C:\Program Files\CloudCompare\translations\is-V7HLF.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):181387
                                          Entropy (8bit):4.755193800761075
                                          Encrypted:false
                                          SSDEEP:3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
                                          MD5:859CE522A233AF31ED8D32822DA7755B
                                          SHA1:70B19B2A6914DA7D629F577F8987553713CD5D3F
                                          SHA-256:7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
                                          SHA-512:F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......daB..4....*..h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V...*...f...e...f.

                                          C:\Program Files\CloudCompare\translations\qt_ar.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):160017
                                          Entropy (8bit):5.356034639583569
                                          Encrypted:false
                                          SSDEEP:1536:XGlAMfkX1M0RdaCkR8lfv8vtc8EFrVYA2I4AJZWEWgHg1C8COvzLKHC6Jp9NV0V7:XUr0RACkIwDEpV1Lgf16btw3Bb
                                          MD5:257BCE0D43476FF6548F7D9D2C3A5809
                                          SHA1:3D7B581860C381FC5644F739850F4C126F27838D
                                          SHA-256:C14EBFAA0FECB341B43ED2179DF9372D27AD20A15BAFB9F5403D57838AE1D88A
                                          SHA-512:051C71E4D105B082D169C5B57D2B6CFC093D174A649A0B4D42FD226B808C9FEDB51A8CED6D5CB5DB7F4FCCE29419EC068D473B7FF7B8E15B9F8A82D32B73BE00
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......arB..2....*.......+.......@.......A.......B..._...C......D.......E......F.......G... ...H...D...I...h...P...C...Q...g...R......S.......T.......U.......V...x...W......X.......Y.......]..'=...s......t...........]...........;..'....;..(....;.......;.......M..'e...O.......O...9...........}..'........C...=......m..'....t..........!o..(5...Z..+;..5u..+;..c...+O......1...!...D@...8..E@.....H4...,..HY..QI..H.......IC......J....1..J.......J.......LD......L.......PS......QR...R..R...V2..T.......U....]..X.......Zr.....[`......\....t..]x......_......._.......yg......1...6....E..8V..............C............................$..RN...[...0...,.......y.......y...................K...........9..R....E.."............z.......................%..F;...D...[..................................!....5.......0...I...0.......0...5...0..#....5.......5...p..............W}.. D..(... D..P=..+.......<U......<U......<.......H5..(...H5..P...L.......VE......VE......V....B..f...JJ..f.......f.

                                          C:\Program Files\CloudCompare\translations\qt_bg.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):165337
                                          Entropy (8bit):5.332219158085151
                                          Encrypted:false
                                          SSDEEP:1536:9ULiyUxPoT6qx+J7FJlaaMJnxjqxq+0Uiff0mbVeb7wiEwYuYqDKBkKHMXHCIMll:9ULpIVFnpwUiEujw27ncUQUz
                                          MD5:660413AD666A6B31A1ACF8F216781D6E
                                          SHA1:654409CDF3F551555957D3DBCF8D6A0D8F03A6C5
                                          SHA-256:E448AC9E3F16C29EB27AF3012EFE21052DAA78FABFB34CD6DFF2F69EE3BD3CDB
                                          SHA-512:C6AE4B784C3D302D7EC6B9CE7B27DDAF00713ADF233F1246CD0475697A59C84D6A86BAA1005283B1F89FCC0835FD131E5CF07B3534B66A0A0AA6AC6356006B8F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......bg_BGB../....*..,....+..."...@...]...A.......B.......C.......D...P...E...!...F.......G.......H.......I.......P.......Q.......R...A...S...e...T.......U.......V.......W...1...X...U...Y...y...]..,....s...,...t...................P...;..+....;..-E...;..!....;..+....M..,Y...O...,...O...........*...}..,............=...Q...m..,....t...|......>...(5..1...+;..<...+;..o...+O...r..1...>...D@......E@......H4......HY..[...H.......IC......J....E..J....X..J.......LD......L....L..PS......QR.."...R...`...T....X..U.......X.......Zr...q..[`...`..\.......]x......_......._....T..yg.....1...=....E..?...............L(.......(...............'...$..\....[.......,...I...y...!...y...................S...........9..]%...E..5p...........z..!q...................%..O....D..................D.....8......:......?....5...&...0.......0.. ....0...c...0..5....5.......5..................b:.. D..-... D..Z...+.......<U......<U...0..<.......H5..-...H5..[...L.......VE..#a..VE..;...V.......f...T...f...!..

                                          C:\Program Files\CloudCompare\translations\qt_ca.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):210126
                                          Entropy (8bit):4.665314011804837
                                          Encrypted:false
                                          SSDEEP:3072:GQKRldlzfzvZfeW+6kXEVjSVPzC3ceKdP2:aff7UW+WjwP2
                                          MD5:1D351670EA821DB3BBB5AEE0AD186F10
                                          SHA1:AC0548EB87E7E4A12A604523713E5B08DF88FB50
                                          SHA-256:235F502810D5750A47421D3E57620DCAE5CFCFD83BC97766AD8B99B75238A544
                                          SHA-512:7A769F0C0858C25EBBBDD25C7308523ED298E35E2B5533981967773CF7D08899D81D05D34D67567BB48FB0DE21B3CE9C9D83866EC701DC841F8B430EADB43E29
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......caB..7....*.......+.......@..:/...A..:S...B..:....C..:....D..;....E..;....F..<9...G..<]...H..<....I..<....P..>....Q..>....R..?....S..?1...T..?U...U..?y...V..?....W..?....X..@....Y..@?...]../....s..1....t..........2R......#O...;.......;../....;..W....;..e....M../3...O.......O..9.......Jy...}../]......8....=..9....m../....t..98.......2..(5..l!..+;.._...+;......+O..U...1.......D@..:w..E@..>...H4...)..HY..~...H...!...IC......J....6..J....0..J.......LD.. ...L...!E..PS..)...QR.."...R.......T...9]..U...9...U...z...X...>s..Zr..E...[`...D..\...L#..]x..74.._......._...M...yg..fi..1...a....E..c....7...k......U.......p........A...............*...$.......[.......,.......y.......y...................=...........9...:...E...R...... ....z..":.......d......!....%..tQ...D.."......."......2......vD.....y...........5..#'...0...;...0..W....0..'....0......5..(g...5...a......)R.......... D..0w.. D..}...+...1...<?..5W..<U......<U..5...<...6...H5..0...H5..~...L...9...VE..$...V...S5..f.

                                          C:\Program Files\CloudCompare\translations\qt_cs.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):174701
                                          Entropy (8bit):4.87192387061682
                                          Encrypted:false
                                          SSDEEP:3072:5WjuhX0CVRaakGjW9E8SSOQfX/JlwVOMxrboRPqWxXfQvO7zjBf:5iFGj1QfXr8Gd
                                          MD5:C57D0DE9D8458A5BEB2114E47B0FDE47
                                          SHA1:3A0E777539C51BB65EE76B8E1D8DCE4386CBC886
                                          SHA-256:03028B42DF5479270371E4C3BDC7DF2F56CBBE6DDA956A2864AC6F6415861FE8
                                          SHA-512:F7970C132064407752C3D42705376FE04FACAFD2CFE1021E615182555F7BA82E7970EDF5D14359F9D5CA69D4D570AA9DDC46D48CE787CFF13D305341A3E4AF79
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......cs_CZB..3p...*..F....+.......@..!....@..Ef...A..!....A..E....B.."1...B..E....C.."U...C..E....D.."....D..F....E..#p...E..F)...F..#....F..FP...G..#....G..Fw...H..$....H..F....I..$6...I..F....P..&%...P..Gr...Q..&I...Q..G....R..&....R..G....S..&....S..H....T..&....T..H8...U..'....U..H_...V..'Z...V..H....W..'~...W..H....X..'....X..H....Y..'....Y..H....]..,....]..,....s.......t...9...............*...;.......;..+....;..1B...;......;..?x...;..N....;..iY...;..s3...M..,B...M..,....O.......O...w...O..rr...........}..,j...}..-....... 5...=.. ....m..,....m..-8...t.. .......ay..(5..TT..+;...A..+;..B...+;..u...+O......+O..=a..1...a...D@.."...E@..&m..E@..G...F...J...H4...=..HY..`...H.......I...J...IC......J....-..J.......J.......LD......L....(..PS.....QR.."S..R...e...T.... ..U......X.......Zr...g..[`......\......]x......_......._......._...v...yg......1...C....E..E...............=.......Q........................s...$..a....[.......,.......y.......y...y..............G..........

                                          C:\Program Files\CloudCompare\translations\qt_da.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):181387
                                          Entropy (8bit):4.755193800761075
                                          Encrypted:false
                                          SSDEEP:3072:XzswP2UvZ5aZ9jFTkmq/gnBNW/+PcWrqm2Vliz0DGdaS4KSLZjwTTgwUR0toT:j3m27AjCT
                                          MD5:859CE522A233AF31ED8D32822DA7755B
                                          SHA1:70B19B2A6914DA7D629F577F8987553713CD5D3F
                                          SHA-256:7D1E5CA3310B54D104C19BF2ABD402B38E584E87039A70E153C4A9AF74B25C22
                                          SHA-512:F9FAA5A19C2FD99CCD03151B7BE5DDA613E9C69678C028CDF678ADB176C23C7DE9EB846CF915BC3CC67ABD5D62D9CD483A5F47A57D5E6BB2F2053563D62E1EF5
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......daB..4....*..h....+......@...f...A.......B.......C.......D...U...E.......F...v...G.......H.......I.......P.......Q.......R...6...S...Z...T...~...U.......V.......W..."...X...F...Y...j...]..+....s.......t..................-...;..+....;..,....;../....;..;....M..+....O.......O...r...........}..,............=...8...m..,0...t...c......T...(5..B...+;..NH..+;..~H..+O..,...1...UP..D@......E@......H4...E..HY..j...H.......IC...#..J....J..J.......J.......LD......L....1..PS...B..QR......R...o...T.......U.......X.......Zr......[`...W..\....}..]x...[.._....-.._.......yg...e..1...O....E..R....7..........-!......]............................$..k....[...7...,.......y...c...y.................j4...........9..l8...E..p............z...;..................%..a....D...~.............-.....L......OH.....Uz...5.......0.......0...U...0.......0..p....5...7...5..L$..............p... D..-... D..i...+....@..<U.....<U.....<....S..H5..-2..H5..j$..L....B..VE.. ...VE..P...V...*...f...e...f.

                                          C:\Program Files\CloudCompare\translations\qt_de.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):220467
                                          Entropy (8bit):4.626295310482312
                                          Encrypted:false
                                          SSDEEP:3072:7w8go8+ph6JVB8XVXYWpSNEeg8+vaD+p4N8DDiEKugwGZulh15ce4M+4NsPYXCZW:88h8Sj286tTiDD
                                          MD5:40760A3456C9C8ABE6EA90336AF5DA01
                                          SHA1:B249AA1CBF8C2636CE57EB4932D53492E4CE36AC
                                          SHA-256:553C046835DB9ADEF15954FA9A576625366BA8BFD16637038C4BCD28E5EBACE1
                                          SHA-512:068E55F39B5250CC937E4B2BD627873132D201D351B9351BE703CD9B95D3BAFB4BD649CB4DF120A976D7C156DA679758D952CAC5E0523107244E517D323BC0C5
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......de_DEB..7....*.......+..3....@..R....A..R....B..S....C..S@...D..S....E..T]...F..T....G..T....H..T....I..U#...P..W....Q..W6...R..W....S..W....T..W....U..W....V..XG...W..Xk...X..X....Y..X....]..2%...s..J$...t..9R......J.......B....;..1....;..3....;..q....;.......M..2O...O.......O..X@......ia...}..2y......Q....=..Q....m..2....t..Q...........(5......+;..ev..+;......+O..oh..1....4..D@..R...E@..WZ..H4..4...HY...[..H...AY..IC..>o..J...>...J.......J...>6..LD..@A..L...@...PS..I...QR..#...R....h..T...W...U...Xh..U....~..X...]...Zr..e(..[`..)...\...j...]x..O..._....K.._...lI..yg...U..1...f....E..i....7..........o.......wG......6.......6.......8....$...n...[..8....,..9....y.......y..=................3......>....9.......E..."......?_...z..#d.......0......A%...%..z....D..A.......B......KP......2.............^...5..B....0.......0..p....0..F....0...}...5..G....5..........H........... D..3}.. D...O..+...Q...<?..Ti..<U......<U..T...<...U)..H5..3...H5......L...X...VE..%j..V...l..

                                          C:\Program Files\CloudCompare\translations\qt_en.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):33
                                          Entropy (8bit):4.513794876803093
                                          Encrypted:false
                                          SSDEEP:3:j2wZC4C/rOw+8k:Cwef+8k
                                          MD5:AAEA7BA475C961F941D0A23488457BEB
                                          SHA1:2BF0054002C8F7D85DD080DF332553BF9B3A8E26
                                          SHA-256:494AC9A2B2CB2FDECED353F4A9F898ED8DCF616E9BC667438C62681E3F7F79CF
                                          SHA-512:5B408C36C8F93F71E73E3D3B1C0C2AD699E92A6088604B8ADF8E588E8A75FC3FC92828199B7F00F5B05B224AE819220D07E56D610A76A267594870BEC77172BE
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......en_US.......

                                          C:\Program Files\CloudCompare\translations\qt_es.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):165170
                                          Entropy (8bit):4.679910767547088
                                          Encrypted:false
                                          SSDEEP:1536:JVwzuvb+Ta64KQd84arHX5pxiVhA8QlOD/BnFNa8NsvsfFsfcoZtIx6F:JVwSTG4KqVaLX5pEVK7OJFczstgRtIx8
                                          MD5:C7C58A6D683797BFDD3EF676A37E2A40
                                          SHA1:809E580CDBF2FFDA10C77F8BE9BAC081978C102B
                                          SHA-256:4FFDA56BA3BB5414AB0482D1DDE64A6F226E3488F6B7F3F11A150E01F53FA4C8
                                          SHA-512:C5AED1A1AA13B8E794C83739B7FDDEAFD96785655C287993469F39607C8B9B0D2D8D222ECD1C13CF8445E623B195192F64DE373A8FB6FE43743BAF50E153CDA5
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......es_ESB../....*..*,...+...y...@.......A.......B.......C.......D...v...E...=...F.......G.......H.......I.......P.......Q... ...R...k...S.......T.......U.......V...1...W...U...X...y...Y.......]..+....s.......t...................c...;..+....;..,....;...%...;..#....;..-....M..+....O.......O...............}..,............=...]...m..,/...t..........A...(5..3...+;..<...+;..o...+O..!b..1...Ap..D@......E@...D..H4...-..HY..[F..H.......IC...%..J....L..J.......J.......LD......L....O..PS......QR..!...R...`K..T.......U....&..X.......Zr.....[`...h..\......]x...|.._....Y.._....A..yg......1...=....E..?a......!.......K........G...............R...$..\Q...[.......,...z...y.......y..................+............9..\....E..2............z.. ....................%..ON...D........................:......=B.....A....5...7...0.......0......0.."....0...,...0..3....5...}...5...Y..............a... D..-!.. D..Z6..+....0..<U...h..<U......<.......H5..-M..H5..Z...L.......VE.."...VE..>...V......

                                          C:\Program Files\CloudCompare\translations\qt_fi.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):179941
                                          Entropy (8bit):4.720938209922096
                                          Encrypted:false
                                          SSDEEP:3072:lvdTgO2Yl97ZWnbgTLt/Tf9IlqAeiy5uWkYGM0wNCdRjSK2YUlUs:lvdkA9vh5uWkY0MK2YXs
                                          MD5:8472CF0BF6C659177AD45AA9E3A3247C
                                          SHA1:7B5313CDA126BB7863001499FB66FB1B56C255FC
                                          SHA-256:E47FE13713E184D07FA4495DDE0C589B0E8F562E91574A3558A9363443A4FA72
                                          SHA-512:DE36A1F033BD7A4D6475681EDC93CC7B0B5DCB6A7051831F2EE6F397C971B843E1C10B66C4FB2EFF2A23DC07433E80FBF7B95E62C5B93E121AB5AD88354D9CB8
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......fiB..38...*..ct...+......@.......A.......B.......C...@...D.......E...]...F.......G.......H.......I...#...P.......Q...6...R.......S.......T.......U.......V...G...W...k...X.......Y.......]..*....s...T...t.......................;..*....;..+....;..&....;..3....M..+!...O.......O...e...........}..+K...........=.......m..+w...t..........J...(5..9...+;..:y..+;..mW..+O..$...1...KY..D@......E@...Z..H4...l..HY..X&..H.......IC......J.......J...."..J......LD.....L.......PS...'..QR.. L..R...]...T.......U.......X.......Zr......[`......\.......]x......_....k.._....>..yg.. /..1...;....E..>....7..{(......%.......J........T.......&.......U...$..Y[...[......,...s...y.......y...a.......}......d...........9..Y....E..k'...........z...........V..........%..M....D...Q.......{......d.....A......E......K....5.......0.......0..&J...0.......0..k....5...*...5..I9.............._:.. D..,O.. D..W...+....9..<U...G..<U...*..<.......H5..,y..H5..W...H5......L....5..VE..!u..VE..E...V..."{..f.

                                          C:\Program Files\CloudCompare\translations\qt_fr.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):166167
                                          Entropy (8bit):4.685212271435657
                                          Encrypted:false
                                          SSDEEP:1536:CLZ1w8McowCppcPwL5pYFw+G00QsbLckCiWxvq+sjs06oFm:C91wxcowspc4L5pUw+cz39CiQ7tloFm
                                          MD5:1F41FF5D3A781908A481C07B35998729
                                          SHA1:ECF3B3156FFE14569ECDF805CF3BE12F29681261
                                          SHA-256:EDB32A933CEF376A2636634E14E2977CED6284E4AA9A4AC7E2292F9CA54C384A
                                          SHA-512:A492E8AC88095A38A13549C18C68E1F61C7054AB9362C2B04C65B93E48E4A07941C8DA6950BAE79041094623E0ED330CA975110FDE8248B4D9380B9F729AD891
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......fr_FRB../....*..-....+.......@.......A.......B.......C...?...D.......E...\...F.......G.......H.......I..."...P.......Q...5...R.......S.......T.......U.......V...F...W...j...X.......Y.......]..+....s...=...t.......................;..+....;..,....;.......;..$b...;.......M..,....O.......O...5...........}..,3...........=.......m..,]...t..........A...(5..5j..+;..<T..+;..o...+O.."+..1...B\..D@......E@...Y..H4...8..HY..[{..H.......IC......J.......J.......J.......LD...|..L.......PS...?..QR..!...R...`j..T.......U....[..X.......Zr.....[`...)..\......]x......_....7.._.......yg...i..1...=Q...E..?@......"Y......K............................$..\....[...^...,...'...y.......y...+.......o....../c.......Y...9..\....E..6(...........z..!................j...%..OC...D...+.......[......a.....;......>......B....5.......0.......0...m...0..#....0.......0..6....5.......5..................a... D..-Y.. D..Ze..+....]..<U...;..<U......<.......H5..-...H5..Z...L.......VE.."...VE..?...V......

                                          C:\Program Files\CloudCompare\translations\qt_gd.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):189580
                                          Entropy (8bit):4.629471775298668
                                          Encrypted:false
                                          SSDEEP:1536:SiaI3C87jhakhR0VGkw7ys7CskQH6y4e6IFB4xyMuhvDnJGhFaCo527arBbm07LZ:S2yGjh17yiqxTXhvQoejJd8FUjVgk
                                          MD5:D512456777500DC13EF834ED528D3704
                                          SHA1:90A32284052C3FE12C18AFEC9F7FF56735E2E34B
                                          SHA-256:C515DD2A2E00765B5F651AAE124A55D617B24777138019ABC5A7001DA7417561
                                          SHA-512:BABEF929AC600C117967B42389623F352D219A466C484AE68EF3C9DA9FF61555875FFB0DAFC3E5EADA6FB43D37F7AFE74A6B6C73458A93FFB42819E1068C9A3B
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......gd_GBB..2....*...u...+......@.......A...B...B.......C.......D.. ....E.. ....F..!&...G..!J...H..!n...I..!....P..#m...Q..#....R..#....S..$....T..$$...U..$H...V..$....W..$....X..$....Y..%....]../....s...'...t...................F...;.......;../....;..=V...;..G....M../G...O.......O...k......$....}../o.......i...=.......m../....t..........[...(5..M...+;..@...+;..x...+O..:...1...\7..D@...f..E@..#...H4...p..HY..be..H.......IC......J.......J....R..J.......LD......L.......PS......QR..#l..R...g...T.......U.......X....\..Zr......[`......\...&...]x......_....C.._...'t..yg..?...1...BM...E..D.......;.......R'.......t.......@.......?...$..c....[......,...i...y.......y...Y.......f.......+...........9..c....E...............z.."....................%..U....D..................G.....UB.....W......\]...5.......0.......0..<....0...;...0.......5.......5..ij..............h... D..0... D..aC..+....K..<U.....<U...~..<.......H5..0...H5..a...L....1..VE..$...VE..X...V...8|..f...Z...f...=..

                                          C:\Program Files\CloudCompare\translations\qt_he.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):138690
                                          Entropy (8bit):5.4870451639261075
                                          Encrypted:false
                                          SSDEEP:3072:XSue8FDn3iJsqBejd/zNDSLzdetY2ZISfCPS:XSuem7w7IjdIzUtYAISfCPS
                                          MD5:26B777C6C94C5AA6E61F949AA889BF74
                                          SHA1:F78DA73388C86D4D5E90D19BB3BD5F895C027F27
                                          SHA-256:4281C421984772665A9D72AB32276CFE1E2A3B0EBE21D4B63C5A4C3BA1F49365
                                          SHA-512:8E02CE06F6DE77729AEFA24410CBD4BFBA2D935EF10DCF071DA47BB70D9C5E0969F528BDB3DB5CAB00E3142D7C573FCF66EA5EB4A2BC557229AD082C0EB1DBCC
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......he_ILB../....*......+..Sw...@......A......B.......C.......D...X...E.......F.../...G...O...H...o...I......P.......Q.......R...I...S...i...T......U......V.......W.......X.../...Y...O...]..$....s......t..X:.......4......`Y...;..$....;..%....;.......;...5...;.......M..$....O...6...O..s............}..%-...........=...m...m..%k...t..........^..(5......+;..2...+;..^...+O...N..1.......D@......E@...(..H4..T...HY..L...H..._...IC..\...J...\...J.......J...\j..LD..^...L...^o..PS..fl..QR......R...Q...T...su..U...s...X...x3..Zr..~...[`..L\..\.......]x....._......._....o..yg...(..1...3....E..5C.......z......?V......U.......U.......W....$..M....[..W....,..X....y.......y..\........a..............\@...9..NO...E...?......]s...z...G.......(......^....%..B^...D.._......._.................... ..........5..`/...0.......0...L...0......0..d(...0......5..ek...5..........fB......R... D..&O.. D..K...+...l...<U......<U..p)..<...p...H5..&w..H5..La..L...s...VE......VE......V.....

                                          C:\Program Files\CloudCompare\translations\qt_hu.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):160494
                                          Entropy (8bit):4.831791320613137
                                          Encrypted:false
                                          SSDEEP:3072:BmOMZadV9n51xXeQvjOiIzz7/Vs9Db3ihuJNvMfWxBNlYzYbTrIkfwb03l24cNKu:HkWa5pg0MahBHDd
                                          MD5:E9D302A698B9272BDA41D6DE1D8313FB
                                          SHA1:BBF35C04177CF290B43F7D2533BE44A15D929D02
                                          SHA-256:C61B67BB9D1E84F0AB0792B6518FE055414A68E44D0C7BC7C862773800FA8299
                                          SHA-512:12947B306874CF93ABA64BB46FAC48179C2D055E770D41AF32E50FFFB9F0C092F583AFCEA8B53FE9E238EF9370E9FFFBEB581270DFA1A7CB74EBE54D9BFF459F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......hu_HUB../....*.......+.......@.......A...0...B...{...C.......D.......E.......F.......G...<...H...`...I.......P...s...Q.......R.......S.......T...*...U...N...V.......W.......X.......Y.......]..+y...s.......t.......................;..+Q...;..,U...;.......;.......;..&....M..+....O.......O...U..........}..+............=.......m..+....t..........9c..(5..,...+;..;...+;..m7..+O......1...9...D@...T..E@......H4...v..HY..Y...H.......IC......J.......J.......J.......LD......L.......PS...}..QR..!...R...]...T.......U....{..X.......Zr...=..[`......\....*..]x...-.._......._......yg...M..1...<....E..>...............J........T.......(.......S...$..Z....[.......,...u...y.......y...[...............#...........9..Z....E..#&...........z..!'...................%..Mv...D..._....................32.....5......9....5.......0...h...0...E...0.......0.......0..#....5...Z...5...........G......_2.. D..,... D..W...+....W..<U......<U...B..<.......H5..,...H5..X{..L....)..VE.."...VE..6l..V....*.

                                          C:\Program Files\CloudCompare\translations\qt_it.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):161139
                                          Entropy (8bit):4.679177649012242
                                          Encrypted:false
                                          SSDEEP:1536:ZL5ef7fdO4BKOb0t55pqCOIUP/PFIM7gxGQ9sRrFM6QJ4m8ihkM:ZdeDFO4BKOb0t55pnOrvCqg9mRK4IkM
                                          MD5:66C2DBE4E048D365AA3531409BB319E9
                                          SHA1:43376F186D324E261B0F6A2475FF2F0B5261B5E1
                                          SHA-256:EEDA9549376601652F8E2F35048E56548F4C15BC6CCAB48F5A3D5A249D631BEE
                                          SHA-512:4D4325752872BA0A3D4CA5F2ABA6FAC0D93EA7D36CAF2BF7EA2B32C9CD2B4832CC3A6B78AF7CAF33B28F7D6259CE1CE0F372089E16843FBE459B14F2A43B1904
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......it_ITB../....*.......+...i...@.......A.......B...L...C...p...D.......E.......F.......G.......H...3...I...W...P...P...Q...t...R.......S.......T.......U...+...V.......W.......X.......Y.......]..+....s.......t..................=...;..+[...;..,g...;.......;.......;..!!...M..+....O...D...O...............}..+........(...=.......m..,....t..........4...(5..'m..+;..<...+;..o5..+O......1...4...D@...%..E@......H4...)..HY..Z...H.......IC...+..J....R..J....j..J.......LD......L....E..PS...j..QR..!...R..._...T.......U.......X.......Zr......[`...0..\.......]x......_......._.......yg..."..1...=....E..?o..............Kf.......G...............(...$..[....[.......,...L...y...9...y...........Y.......Y...........9..\=...E..$T...........z.. k...................%..N....D..................,......_.....0......5....5.......0.......0.......0... ...0.......0..$....5...a...5...).......@......a... D..,... D..Y...+.......<U..._..<U......<....U..H5..-...H5..Z...L.......VE.."c..VE..1...V....7.

                                          C:\Program Files\CloudCompare\translations\qt_ja.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):129911
                                          Entropy (8bit):5.802855391832282
                                          Encrypted:false
                                          SSDEEP:1536:W8YYSCjKBJ26c1Z7f25pVmuLXpxfqt7FEUWNrfQje9kWI23pKXvx:xYuKBJ01Z7u5pQuLbESUWNzAAI23pKfx
                                          MD5:608B80932119D86503CDDCB1CA7F98BA
                                          SHA1:7F440399ABA23120F40F6F4FCAE966D621A1CC67
                                          SHA-256:CBA382ACC44D3680D400F2C625DE93D0C4BD72A90102769EDFD1FE91CB9B617B
                                          SHA-512:424618011A7C06748AADFC2295109D2D916289C81B01C669DA4991499B207B781604A03259C546739A3A6CF2F8F6DFA753B23406B2E2812F5407AEE343B5CBDD
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......jaB../....*...'...+..=....@.......A.......B...?...C...c...D......E......F.......G.......H..."...I...F...P.......Q...'...R...r...S......T......U.......V...8...W...\...X......Y......].."k...s...Q...t..A...............I....;.."C...;..#A...;.......;.......;.......M.."....O...B...O..[?......h....}.."........m...=.......m.."....t...........M..(5......+;......+;..WU..+O......1.......D@......E@...K..H4..>=..HY..F...H...Hr..IC..E...J...F...J.......J...E...LD..Gz..L...G...PS..O...QR......R...K!..T...Z...U...[e..X..._f..Zr..e...[`..7...\...i...]x...'.._......._...j...yg..~+..1.../....E..1?.......#......:.......?.......?n......A....$..G....[..Ap...,..B....y.......y..Ew......|...............E....9..H....E..........F....z...]..............HL...%..=R...D..H.......I!......[......J......M..........5..It...0...3...0.......0...C...0..M....0...a...5..N....5..........N.......L6.. D..#... D..E...+...U%..<U......<U..X ..<...X...H5..#...H5..FK..L...[...VE......VE......V......f.

                                          C:\Program Files\CloudCompare\translations\qt_ko.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):156799
                                          Entropy (8bit):5.859529082176036
                                          Encrypted:false
                                          SSDEEP:1536:rvTy18hhPekHs1iNXVExWbStnn8TExgkYOvYejZOvXx4Mmf0MwUL8smk/pDZyy:y18hJ61nMStnn8TOgknQRLWZmkxNyy
                                          MD5:082E361CBAC2E3A0849F87B76EF6E121
                                          SHA1:F10E882762DCD2E60041BDD6CC57598FC3DF4343
                                          SHA-256:0179ED1B136E1CB3F583351EAA2C545BA3D83A6EE3F82C32505926A1A5F5F183
                                          SHA-512:F378A42116924E30FA0B8FFF1D3C3CB185DC35B2746DCE2818BE7C2AA95C5DE103DF44AAC74DA969C36C557F1D4DE42AC7647EC41066247F8AD2697BDED667EA
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......koB..7....*.......+.......@...K...A...o...B......C.......D...8...E.......F...U...G...y...H......I.......P......Q.......R.......S...C...T...g...U.......V.......W.......X...-...Y...Q...]..$....s...>...t...................y...;..${...;..%....;...u...;...l...M..$....O.......O...8...........}..$............=...C...m..%!...t...n..........(5...a..+;..E@..+;..l|..+O......1.......D@.....E@......H4......HY..\...H....]..IC......J.......J....8..J.......LD...a..L.......PS......QR......R...`...T.......U....^..U.......X....y..Zr......[`..y...\....A..]x......_......._....o..yg......1...FJ...E..HE...7..................Q........a.......5...........$..]....[...;...,.......y.......y...V...............!.......|...9..]....E...R...........z...4.......f.......5...%..Te...D..................D......^.............*...5...S...0.......0.......0.......0.......5.......5...........n......a... D..%... D..[...+.......<?......<U...;..<U...+..<.......H5..&...H5..\...L.......VE......V....A..f.

                                          C:\Program Files\CloudCompare\translations\qt_lv.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):153608
                                          Entropy (8bit):4.843805801051326
                                          Encrypted:false
                                          SSDEEP:3072:y5pmbKIhooMbGe91MrjOhmGzP6LJbWz5XIxELpU6:yObeqrjPGzeJyJLy6
                                          MD5:BD8BDC7BBDB7A80C56DCB61B1108961D
                                          SHA1:9538C4D8BB9A95C0D9DC57C7708A99DD53A32D1F
                                          SHA-256:846E047573AE40C83671C3BA7F73E27EFC24B98C82701DA0DF9973E574178BB2
                                          SHA-512:F040EC410EBFEA21145F944E71ADCAE8E5F60907D1D3716A937A9A59A48F70C6B7EAAC91C2C554F59357A7BC820CDBD17C73A4DECC20B51F68EB79EDD35C5554
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......lv_LVB.......*...B...+..y....@.......A...=...B......C......D.......E.......F...#...G...G...H...k...I.......P...~...Q......R.......S.......T...5...U...Y...V......W.......X.......Y.......]..%....s.......t...8.......n.......A...;..&....;.......;...!...;...A...;../....M..%....O.......O...............}..%...........=.......m..&....t...(......(g..(5...+..+;..4...+;..d...+O......1...(...D@...a..E@......H4..z...HY..Q...H.......IC......J....6..J.......J.......LD......L....9..PS......QR......R...U...T....S..U.......X...._..Zr......[`..r...\.......]x...*.._......._....{..yg......1...5v...E..7........(......B.......|.......|W......~r...$..R....[..~....,.......y...l...y...............................9..S....E...g...........z...z...................%..F....D........................"Z.....$......)....5.......0...\...0.......0...r...0.......0.......5...a...5..........J......V... D..&... D..P...+.......<U......<U......<.......H5..'"..H5..P...L....~..VE...R..VE..%...V......

                                          C:\Program Files\CloudCompare\translations\qt_pl.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):162982
                                          Entropy (8bit):4.841899887077422
                                          Encrypted:false
                                          SSDEEP:1536:sXpestp/YIFtDT8FIWYbIJmPYuIpnmxAk6mwyJNqSm9+P:sxpTDT8FIWfJmdCmxApmbnqSm9+P
                                          MD5:F9475A909A0BAF4B6B7A1937D58293C3
                                          SHA1:76B97225A11DD1F77CAC6EF144812F91BD8734BD
                                          SHA-256:CE99032A3B0BF8ABAD758895CC22837088EAD99FD2D2514E2D180693081CFE57
                                          SHA-512:8A4F1B802B6B81FF25C44251FB4A880E93E9A5FE25E36825A24BFE0EFB34E764E7E1EE585D3A56554964B7921E7813C67F12D200D6E0C5EAF4BB76B064B5C890
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......pl_PLB..0....*.."....+.......@...F...A...j...B......C.......D...3...E.......F...P...G...t...H.......I.......P.......Q.......R.......S...>...T...b...U.......V.......W.......X...(...Y...L...]..*....s.......t...r.......o.......+...;..*....;..+....;..."...;... ...M..*....O...6...O...........a...}..+...........=.......m..+G...t...G......,...(5......+;..:...+;..k...+O......1...-[..D@.....E@......H4...U..HY..WU..H.......IC......J....6..J.......J.......LD......L....%..PS......QR.. ...R...[...T....1..U.......X......Zr......[`......\.......]x...A.._......._....}..yg......1...;W...E..=........%......H....................$..Xp...[.......,.......y...i...y...........}......$R...........9..X....E..+)...........z.. E...................%..K....D...p....................&......(......-....5.......0.......0...e...0.......0..+....5...]...5...........f......]-.. D..,%.. D..V?..+....V..<U......<U......<....-..H5..,M..H5..V...L....Z..VE..!...VE..)...V.......f...P...f....K..f......

                                          C:\Program Files\CloudCompare\translations\qt_ru.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):203767
                                          Entropy (8bit):5.362347888784502
                                          Encrypted:false
                                          SSDEEP:1536:hn4dEJ63pdhPpy6gu5fs4MHQv6sLlxnrncF423ZL9xyuXwdcX8/Zuf76CW+WeXFx:aN3pdV5fZbpItXsZtRY+WSq
                                          MD5:7C1D56064AF52DC1C834FF709FC53609
                                          SHA1:C415A8B1B6B9D40DD68173A0772F32F639CD743A
                                          SHA-256:B2C601C7DECB9F8D2D6DC3B1929F2EC20656FF21783BF283DF23B02DD022DC5B
                                          SHA-512:FCBD753BECF6D2FC4B0074440AFBE06ED27B6FDF15D14ABD66DF28EF44272E98DC6DED66BAAE09EC8666BC78E454E20D38F945F4B0F6D0B6899CFD663E1BA1F9
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......ru_RUB..7....*...L...+...W...@..,....A..,....B..-1...C..-U...D..-....E...r...F.......G.......H../....I../8...P..1'...Q..1K...R..1....S..1....T..1....U..2....V..2\...W..2....X..2....Y..2....].......s..$c...t...'......%........r...;..-....;.......;..J....;..V....M...C...O.......O..&.......8....}...m......+3...=..+....m.......t..+.......p...(5..]@..+;..[0..+;......+O..H...1...qM..D@..-...E@..1o..H4...p..HY..xm..H....*..IC...@..J....g..J.......J.......LD......L....p..PS......QR..!...R...}...T...&...U...'...U...ki..X...+...Zr..3...[`......\...:...]x..)..._......._...;...yg..S...1...\....E..__...7.........H.......k................j.......U...$..y....[.......,.......y...k...y...............................9..y....E...O...........z..!*...................%..nW...D.................%w.....g......j~.....qw...5...H...0.......0..I....0..._...0......5.......5..................~... D../k.. D..wa..+....?..<?.."t..<U......<U.."...<...#z..H5../...H5..w...L...&...VE.."...V...F$.

                                          C:\Program Files\CloudCompare\translations\qt_sk.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):125763
                                          Entropy (8bit):4.803076457235141
                                          Encrypted:false
                                          SSDEEP:3072:roXDuC1u/2lUBGjJirE5tsd/aev1GcfOdvhw:OucMGjH5t/m
                                          MD5:5BBA1E27FCABC34B403CDF11F0A63CEF
                                          SHA1:EA02695BDBB9C7F55A94F60B306703F0D67B30C3
                                          SHA-256:B70C6DE694E717FA05C46831B6A11927536AEAD937CCE6BA66665D5C496EED06
                                          SHA-512:E15DB4397E5388B56B9869080DB06CB3357E3D575C619CB1187F7372AEC5B7F19F14EEC6D2674F174094945AEDB5470AB1CCEC1347B96E8E6BB20279FD038F6C
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......sk_SKB..$x...*.......+..>....@......A......B.......C.......D...3...E...Z...F......G......H.......I.......P.......Q...D...R.......S......T.......U.......V...1...W...X...X.......Y......]...Y...t..D-......K....;...3...;.......;.......;......;...V...M.......O.._ ......l....}.......m...........T..(5...(..+;......+;..%...+O......1......E@...k..F.......H4..?I..HY..@7..H...J...I....,..IC..HT..J...H{..J...H...LD..J"..L...Jv..PS..Q...R...D...Zr..i]..[`..7...\...nB.._...o...1...&....E..(........B......19......A.......A....$..AF...[..C....,..D....y..G.......v........g......G....9..A....E..........IH...%..4.......Kf..............................5..K....0...,...0.......0.......0..Of...0.......5..P....5..........E... D...C.. D..?'..+...Y`..<U......<U..\...<...]...H5...m..H5..?...L...^...VE......f.......f...8...g.......l...aP.......................6......d....D..f(...`..f...............?....`..h5...y..H....5..j........E...e.......e..@....... ......>......oZ......l..

                                          C:\Program Files\CloudCompare\translations\qt_tr.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):194487
                                          Entropy (8bit):4.877239354585035
                                          Encrypted:false
                                          SSDEEP:3072:yRRhAFCvqDBitD/iDG9AOH+l4TcwZBPqHo9fd9CFRK+2IKAimxsjucV2p0ZqvRu7:yRRHs5mksWVX3lA3
                                          MD5:6CBC5D8E1EABEC96C281065ECC51E35E
                                          SHA1:4E1E6BA3772428227CB033747006B4887E5D9AD1
                                          SHA-256:6A0BF6E70E7920C2B193E76E92F78F315936955D3B06AC039D917F2E06C43281
                                          SHA-512:CE1F9EE180176153D5F523D71E0DB06F4DEA65C24E5E2CD56341CFAEE349A8E9A0F606D99F7219A35DD4516D1528C90AEA4BB87548A55392B8F2B36164D478B1
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......tr_TRB..7....*.......+...-...@.......A.......B.......C...%...D.......E...F...F.......G.......H.......I.......P.. ....Q.. ....R..!D...S..!h...T..!....U..!....V.."....W.."0...X.."T...Y.."x...]..,g...s.../...t......................;..,9...;..-I...;..9@...;..E....M..,....O.......O...G...........}..,............=...\...m..,....t.........._3..(5..LJ..+;..Wt..+;...\..+O..7...1..._...D@......E@..!...H4...@..HY..t...H....2..IC...r..J......J....D..J....K..LD...$..L....x..PS......QR..!...R...x...T.......U....q..U...Y...X...."..Zr...%..[`......\....:..]x......_......._.......yg..6...1...X....E..[....7...Z......7Q......f............................$..u....[...:...,...5...y.......y...........7...............!...9..u....E...........P...z.. ........p...........%..j....D..................A.....U......Y......_....5...V...0.......0..8....0...U...0.......5.......5..~b..............z+.. D..-... D..s...+.......<?...8..<U...s..<U...p..<.......H5..-...H5..s...L.......VE.."0..V...4..

                                          C:\Program Files\CloudCompare\translations\qt_uk.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):158241
                                          Entropy (8bit):5.401819605980093
                                          Encrypted:false
                                          SSDEEP:1536:4FoQa3dMUDPTzdAhpQgO5poZHvJllEnhmdK4I77/dnPJX/imfb1jhvv3BxT8upfk:rzDPTzaw5pCvJ8hVPdlvj3p8
                                          MD5:ACBE9498B42AE04A8A05DDB08F88DAF0
                                          SHA1:F847CC1A45A19B5527148BFBC93A3942819F22CD
                                          SHA-256:4835B26FC4FCCBF4444E4AF1178BA89ADA88D340BA74D61EAE344D81B8A26461
                                          SHA-512:D488BA62873DF44021B2DF7683B80F6207E998AC14F5DBA85E860949A8A01B4D826CFD574D83C8B1107294197D61F9098210D93729B026F03CEE86CC6B576C45
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......uk_UAB../....*...$...+...K...@.......A.......B...&...C...J...D.......E...g...F.......G.......H.......I...-...P.......Q...@...R.......S.......T.......U.......V...Q...W...u...X.......Y.......]..*y...s...b...t...~...............M...;..*Q...;..+U...;.......;...W...;..!....M..*....O.......O...`...........}..*........$...=.......m..*....t..........3...(5..&...+;..:...+;..k...+O... ..1...4...D@......E@...d..H4......HY..W...H.......IC...5..J....\..J.......J.......LD......L....Y..PS......QR.. ...R...\...T.......U.......X....y..Zr......[`..~...\.......]x......_......._.......yg...B..1...;....E..=w.......L......I............................$..X....[.......,.......y.......y...........,...................9..Y....E...%.......#...z.. ........P...........%..LB...D.......................-M...../......46...5...%...0...O...0...6...0.......0...J...0.......5.......5..................^... D..+... D..V...+.......<U......<U...e..<.......H5..+...H5..V...L....2..VE..!...VE..0...V......

                                          C:\Program Files\CloudCompare\translations\qt_zh_TW.qm (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:Qt Translation file
                                          Category:dropped
                                          Size (bytes):127849
                                          Entropy (8bit):5.83455389078597
                                          Encrypted:false
                                          SSDEEP:3072:Fv2cHP10gOs6dcFxsJopMqOWv2WIrPFP8pa:Fh6s6iFxEodjef8pa
                                          MD5:9C6A3721D01ECAF3F952CE96F46CE046
                                          SHA1:4A944E9E31DF778F7012D8E4A66497583BFD2118
                                          SHA-256:085D29EAF9BBB788B2F2503D74A1EF963A9411CEB600441254CE49A120E1AB63
                                          SHA-512:6E2807B8785F42A26C9CCBDBA0327DD40B529B10C468593F0E74113774D1CCDAA4FD9ACE9B259B9040E1475911428ECAEA49425B0F170862CF8147D23DB48E46
                                          Malicious:false
                                          Reputation:low
                                          Preview:<.d....!..`.......zh_TWB..2x...*.......+..)....@.......A.......B...j...C......D.......E......F.......G...)...H...M...I...q...P...%...Q...I...R......S......T.......U.......V...Z...W...~...X......Y.......]..!....s.......t..-...............4....;..!z...;.."|...;.......;.......M..!....O.......O..Ay......N)...}..!............=.......m.." ...t...(.........(5......+;..;...+;.._...+O......1.......D@...C..E@...m..H4..*W..HY..Pm..H...3...IC..1...J...1...J.......J...1...LD..2...L...38..PS..6...QR...T..R...T...T...A...U...A...X...E...Zr..K...[`..$...\...OW..]x......_......._...P...yg..a^..1...<....E..>....7...>.......;......Fo......+.......+.......-L...$..QR...[..-....,...F...y.......y..1J...............6......1p...9..Q....E..........2....z...........<......3....%..H....D..4W......4}....................Z...... ...5..4....0...?...0...K...0..5....0...L...5..6....5..........6.......U... D.."... D..O...+...<%..<U......<U..>...<...?:..H5..#...H5..O...L...AS..VE...M..VE......V.......f...L..

                                          C:\Program Files\CloudCompare\unins000.dat

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:InnoSetup Log 64-bit CloudCompare {4DE0A2C8-03F9-4B3F-BAFC-1D5F2141464B}, version 0x418, 31475 bytes, 849224\37\user\376, C:\Program Files\CloudCompare\376\377\377\
                                          Category:dropped
                                          Size (bytes):31475
                                          Entropy (8bit):3.601703940024947
                                          Encrypted:false
                                          SSDEEP:192:41RRvb73lZnC3bP4DS4SVJr73ZJW3c7UHS39Q6SElZwNn6QhA/YPg89eERcQcrTd:4rFPfC3bPuSVHJWM3bUHQ
                                          MD5:B1F570C472C45E6D3B636D31B3D4EFD5
                                          SHA1:6A28485F1479CF2B0DAEFC118227EE144F9561F5
                                          SHA-256:4EEA23FC15A08905A4595868C98BAB599A08EE4795B67BF8F9766DC963D4346D
                                          SHA-512:03FCD00C988F9F1FF425E149C2BCDFED682DB0C22B8EDADCFA6723A721CC0BE6A01D254222DD47EC256D77172565A8C9B523E8AFEC4AFC2388777523ED790273
                                          Malicious:false
                                          Reputation:low
                                          Preview:Inno Setup Uninstall Log (b) 64-bit.............................{4DE0A2C8-03F9-4B3F-BAFC-1D5F2141464B}..........................................................................................CloudCompare.............................................................................................................................z....................................................................................................................f...........3.......u........8.4.9.2.2.4......j.o.n.e.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.o.u.d.C.o.m.p.a.r.e....................... .....2....~...IFPS....$........................................................................................................ANYMETHOD.....................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TMAINFORM....TMAINFORM.........TUNINSTALLPROGRESSFORM....TUNINSTALLPROGRESSFORM.........TEXECWAIT.........TSETUPSTEP.........TNEWCHECKLISTBOX....TNEWCH

                                          C:\Program Files\CloudCompare\unins000.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3024000
                                          Entropy (8bit):6.401341683892991
                                          Encrypted:false
                                          SSDEEP:49152:gLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvuS:cwSi0b67zeCzt0+yO3kS/
                                          MD5:CA9D0BC1FC3C0AEBE22047A2DCBCD715
                                          SHA1:8DF8054C0F3A9969493D74001AE6C6815090BB48
                                          SHA-256:69FEBFE8BB5D272CE0A488B1C4C7BF2C3CEAD22410F7E907681635DDD910EF42
                                          SHA-512:75D8B8811B736C6AF7802194508979209E34B6357662902456687E83FE348DE422B37A96A52B336448B9EE22F1B43D7C7B7266F67D9000B663F24CFE989F81AE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-...............-..&....................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

                                          C:\Program Files\CloudCompare\unins000.msg

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:InnoSetup messages, version 6.0.0, 261 messages (UTF-16), Cancel installation
                                          Category:dropped
                                          Size (bytes):24097
                                          Entropy (8bit):3.2749730459064845
                                          Encrypted:false
                                          SSDEEP:192:b1EjNSCkf3SCqsTr6CCPanAG1tznL7VF+Iqfc51U5YQDztXfbKJG/Bfvo:b1EK6CHr6fSX+7Q1U5YQDztB/B3o
                                          MD5:313D0CC5D1A64D2565E35937991775A6
                                          SHA1:B8ACB11878C485865C9E4679248E53B83A8F3AD4
                                          SHA-256:5ED0233C0922E9F20307315E24B4F33C3D56AB9F42B2F75AE91E7A27FD313B66
                                          SHA-512:7C2DB4A3A4A8DF09F8119A7BA4CA9EBFE562F0A34D431928344E21A5853931EEFBFD910DC4026C6788AC22423BBB125F2B700326D8A1D82B134E2B486C3D0684
                                          Malicious:false
                                          Reputation:low
                                          Preview:Inno Setup Messages (6.0.0) (u)......................................]..+..... .C.a.n.c.e.l. .i.n.s.t.a.l.l.a.t.i.o.n...S.e.l.e.c.t. .a.c.t.i.o.n...&.I.g.n.o.r.e. .t.h.e. .e.r.r.o.r. .a.n.d. .c.o.n.t.i.n.u.e...&.T.r.y. .a.g.a.i.n...&.A.b.o.u.t. .S.e.t.u.p.........%.1. .v.e.r.s.i.o.n. .%.2.....%.3.........%.1. .h.o.m.e. .p.a.g.e.:.....%.4.....A.b.o.u.t. .S.e.t.u.p...Y.o.u. .m.u.s.t. .b.e. .l.o.g.g.e.d. .i.n. .a.s. .a.n. .a.d.m.i.n.i.s.t.r.a.t.o.r. .w.h.e.n. .i.n.s.t.a.l.l.i.n.g. .t.h.i.s. .p.r.o.g.r.a.m.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.c.o.m.m.e.n.d.e.d. .t.h.a.t. .y.o.u. .a.l.l.o.w. .S.e.t.u.p. .t.o. .a.u.t.o.m.a.t.i.c.a.l.l.y. .c.l.o.s.e. .t.h.e.s.e. .a.p.p.l.i.c.a.t.i.o.n.s.....T.h.e. .f.o.l.l.o.w.i.n.g. .a.p.p.l.i.c.a.t.i.o.n.s. .a.r.e. .u.s.i.n.g. .f.i.l.e.s. .t.h.a.t. .n.e.e.d. .t.o. .b.e. .u.p.d.a.t.e.d. .b.y. .S.e.t.u.p... .I.t. .i.s. .r.e.

                                          C:\Program Files\CloudCompare\vcruntime140.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):85784
                                          Entropy (8bit):6.594110245111798
                                          Encrypted:false
                                          SSDEEP:1536:U3qPWvVCMgfw2eeWqjOebgk0jIpePxd76LGYU8j6ecbolG8EB4h88ii0:U66dsFeeBGPj1L6LGY+ecboC/8ip
                                          MD5:1453290DB80241683288F33E6DD5E80E
                                          SHA1:29FB9AF50458DF43EF40BFC8F0F516D0C0A106FD
                                          SHA-256:2B7602CC1521101D116995E3E2DDFE0943349806378A0D40ADD81BA64E359B6C
                                          SHA-512:4EA48A11E29EA7AC3957DCAB1A7912F83FD1C922C43D7B7D78523178FE236B4418729455B78AC672BB5632ECD5400746179802C6A9690ADB025270B0ADE84E91
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ZWB..6,..6,..6,.....6,..N...6,..6-.26,.L^/..6,.L^(..6,.L^)..6,.L^,..6,.L^...6,.L^...6,.Rich.6,.........................PE..d.....0].........." .........R...............................................P......<.....`A............................................4............0....... ...........A...@..t...P...8............................................................................text.............................. ..`.rdata...6.......8..................@..@.data... ...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc..t....@......................@..B........................................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\xerces-c_3_1.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):2488832
                                          Entropy (8bit):6.160943225546191
                                          Encrypted:false
                                          SSDEEP:24576:F0/+sQ6I4bzQrzL7f2DdjAsWpCckWhfIHm5b4pgDpxiH+ROm:Q64bUnLb2DTWpCck7m5ZpseRt
                                          MD5:38A03AED710AD5C471F7864E05CBA4E9
                                          SHA1:E1A0FD42A0BBF5F7F22F9BCCE5C9BE1F4EABB221
                                          SHA-256:D8690C5E0EA25CA2AB480BCEA830CAAF07CA5BDCB5D81FDF6C5B36ACDEEDF124
                                          SHA-512:B66B526148E24DF3C8CD7150DEBF83D1D861939866B00B186759F26C75E187257AEFB25D7FAC44788CE04C54981381441C64BE141DA520BAF1EDEF9E9B5C7C11
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|P....................:'..............................yx.....................................................Rich............................PE..d...#:.X.........." .....J...........d.......................................0&.....]\&... ..............................................\....!.P.....$..<....#...............%.\7...d..8...........................PA..p............`..x............................text....I.......J.................. ..`.rdata......`.......N..............@..@.data...(.... !.......!.............@....pdata........#.......#.............@..@.rsrc....<....$..>....$.............@..@.reloc..\7....%..8....%.............@..B................................................................................................................................................................................................................................

                                          C:\Program Files\CloudCompare\zlib1.dll (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):70656
                                          Entropy (8bit):6.427052922078226
                                          Encrypted:false
                                          SSDEEP:1536:NAtEBVLW449/7DU6BNNiWrnToIfCIOvIOwIY/ky:yKVLQxDRrcWLTBfghwIY/ky
                                          MD5:977D5FD0F1CE33492336D6D48E4BEF6D
                                          SHA1:575C7AC6104D3E000B091F8AF343E822DBC53931
                                          SHA-256:41775B504663392F630CDBA675894A0A65A9C09616D5738B2DF98AEE329F0AF7
                                          SHA-512:11C4EA625D74D55F1926DC237436784577B8F82523A996843A0357156CCBA6D46EDA56928FF7AC82ED59BD8C131F96A1691D90B3997080B442AADA286DDA2C27
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........U-.X4C.X4C.X4C...Z4C.X4B.v4C..e..[4C..e..Z4C..e..S4C..e..Z4C.Uf..T4C.Uf..Y4C.Uf..Y4C.Uf..Y4C.RichX4C.................PE..d...?tWV.........." .........p...............................................`......:.....`......................................... ...].......<....@.......0...............P..`.......................................p............................................text............................... ..`.rdata..,W.......X..................@..@.data...0.... ......................@....pdata.......0......................@..@.rsrc........@......................@..@.reloc..`....P......................@..B........................................................................................................................................................................................................................................................

                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CloudCompare\CloudCompare.lnk

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jan 13 06:03:09 2025, mtime=Mon Jan 13 06:03:15 2025, atime=Sun Jan 12 03:09:44 2025, length=3778688, window=hide
                                          Category:dropped
                                          Size (bytes):919
                                          Entropy (8bit):4.528538528026807
                                          Encrypted:false
                                          SSDEEP:24:8msrbkdc+RJrKfUUALdKGYGMdKGpbvNZBm:8m0kdciJrAUjLdzFMdzpDNH
                                          MD5:A8070BBCE7B89C120E0F3EB6039F3665
                                          SHA1:D1A894CBF7F5C603831DE6136A15C5F8975F1159
                                          SHA-256:5E244965F482AF0C43E5E7596C3682629A43F0FC68DD692936882237EC55DD90
                                          SHA-512:24CE62F81A3340203C1F1AB5F19CE93A9666B00E570B32129A23346274C58E75F3668D4B439C6FA872440188AB162A57605D03B1E1E9F99E50A6071D61A7B31B
                                          Malicious:false
                                          Reputation:low
                                          Preview:L..................F.... ....4.4.e..@..7.e...tn.d....9..........................P.O. .:i.....+00.../C:\.....................1.....DW.V..PROGRA~1..t......O.IDWP`....B...............J.....i...P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1.....-Zp8..CLOUDC~1..J......-Ze8-Zp8..........................C...C.l.o.u.d.C.o.m.p.a.r.e.....n.2...9.,Z6! .CLOUDC~1.EXE..R......-Ze8-Zh8..............................C.l.o.u.d.C.o.m.p.a.r.e...e.x.e.......]...............-.......\............+.0.....C:\Program Files\CloudCompare\CloudCompare.exe..=.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.o.u.d.C.o.m.p.a.r.e.\.C.l.o.u.d.C.o.m.p.a.r.e...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.o.u.d.C.o.m.p.a.r.e.`.......X.......849224...........hT..CrF.f4... ....i|....,.......hT..CrF.f4... ....i|....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                          C:\ProgramData\Package Cache\.unverified\cab2C04DDC374BD96EB5C8EB8208F2C7C92 (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Microsoft Cabinet archive data, many, 5691140 bytes, 14 files, at 0x44 +A "mfc140.dll_amd64" +A "mfc140chs.dll_amd64", flags 0x4, number 1, extra bytes 20 in head, 371 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):5701492
                                          Entropy (8bit):7.997611715541784
                                          Encrypted:true
                                          SSDEEP:98304:ioVBFuv0iAVyX/zW61ZFQZU+mnVZ8QOFkvpW1rSFYK8mQxqrobR1cV:5V+vNLBsZU+mnVIFMW1rgi+c0V
                                          MD5:5866203168B27F18C1B47ABFA6823E02
                                          SHA1:3B696BE0A4CF750965D74263E43B8E302CB1B318
                                          SHA-256:7D48E0905EBEA9B14A07CFF687705DFDC50D795CD4C32E5ED87A0E344884B430
                                          SHA-512:037F793F60BE84F1DA005D47E21783E719A85B5C12C4D20050AD9D3254AC99BA8EB30B4B1378BAC69379DBC659427DC1AE4A19062ECD337D47D480D047AFB669
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF......V.....D.............................V.p(..........4...s...P.U.......]Y.- .mfc140.dll_amd64.h...P.U...]Y.- .mfc140chs.dll_amd64.P.....V...]Y.- .mfc140cht.dll_amd64.h8...]W...]Y.- .mfc140deu.dll_amd64.p...p.X...]Y.- .mfc140enu.dll_amd64.h4...Y...]Y.- .mfc140esn.dll_amd64.h8..H.Z...]Y.- .mfc140fra.dll_amd64.p0....\...]Y.- .mfc140ita.dll_amd64.P... E]...]Y.- .mfc140jpn.dll_amd64.h...p+^...]Y.- .mfc140kor.dll_amd64.P(...._...]Y.- .mfc140rus.dll_amd64.PVV.(8`...]Y.- .mfc140u.dll_amd64..x..x.....]Y.- .mfcm140.dll_amd64..x........]Y.- .mfcm140u.dll_amd64.'..|.6..CK.:{|Se._.M[..4XD....)..........-R..V^....,..@iK...g.]........Y.....-.i+o..D.-7.G..)(w.9_nnn.......{.w.w^.y}.....Y,c,.~d......_...c,..T.#.H...#}'..4cq...J.d..,\.....2..y.3.c..X.h...$s...V.d....)?.G.e...B.y1s.<W.q.{../.^.\N..+..5s&..d;._"..rofJ;.y%.I.w.......2....E...X<..Y.M`.o..W..X....'X[...h..qxO..j....1...#..'w.$rv..I...6e.......Yg...)`.Q@.p6..M x..6......a./.X.".K.;.-.{.g.fV].. ...Xz.3l...<.1....

                                          C:\ProgramData\Package Cache\.unverified\cab5046A8AB272BF37297BB7928664C9503 (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Microsoft Cabinet archive data, many, 982083 bytes, 12 files, at 0x44 +A "concrt140.dll_amd64" +A "msvcp140.dll_amd64", flags 0x4, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):992435
                                          Entropy (8bit):7.996227359354833
                                          Encrypted:true
                                          SSDEEP:24576:0XKN4iOeSkepkozuJaPx/fmr2MFZ3bqN0+djTVxvdIoBQVHzo:0anOekp+aPx/fmKM7V+djpldVn
                                          MD5:8C302E40FBF614896BA36A75F3F8977E
                                          SHA1:991AF1495F7783173D0C5691BE38FF8648F2DF12
                                          SHA-256:B384B812DC59C2081CEE080EA6BBA748E02ECF3C0800D8DCAF9607A20A4F3290
                                          SHA-512:53B1D7D8AB495931F50B5D815AFE04D52F9E0BBAFA0A5F3E4F6605B6E4F2A85C583ABF9014DEC41481439827BB6BAB23AC439D4FD7D0C3F191F21B2BF5AFB11D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF....C.......D...........................C...p(..............K...P.........]Y.- .concrt140.dll_amd64.h...P.....]Y.- .msvcp140.dll_amd64.h.........]Y.- .msvcp140_1.dll_amd64.h... A....]Y.- .msvcp140_2.dll_amd64.P....W....]Y.- .msvcp140_atomic_wait.dll_amd64.P|........]Y.- .msvcp140_codecvt_ids.dll_amd64.P<..(.....]Y.- .vcamp140.dll_amd64.P^..x.....]Y.- .vccorlib140.dll_amd64.h....2....]Y.- .vcomp140.dll_amd64.p...0!"...]Y.- .vcruntime140.dll_amd64.P.....#...]Y.- .vcruntime140_1.dll_amd64.h....$...]Y.- .vcruntime140_threads.dll_amd64...r.:3..CK.[}\Te..3..H*cI.n.kT,.hY...A ...L-JML.5%......N.Y...~YXV.m..V.X...(o...R.u.[I..B/..<.sg.......7.f..s...s.9.y..>.^...A._.K....1.].Z.....}..j..kRj.N.7?..d..%3.6..h.b...9.%9.L.....&..^<{Nt.>...G.7.7...|...*8o<l.Wm.....V...k..u.X..B.Ayf...i.6$.B.7..VO...?k..U0.'........W..c..&m.{.:. 4h.9c....n.=..p*.6....O....1z.cf.B.l..... .w*......x.Nh......=...tBz:l.:!.......:...A.Y.:..bt........l...u..o....%.gZg.B%.P..x.6j.e._4.&l..?(........b...

                                          C:\ProgramData\Package Cache\.unverified\vcRuntimeAdditional_x64 (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433., Template: x64;1033, Revision Number: {E04E511C-7D1F-4263-AB6A-F816392FD4D7}, Create Time/Date: Tue Oct 29 06:55:02 2024, Last Saved Time/Date: Tue Oct 29 06:55:02 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.372377887079137
                                          Encrypted:false
                                          SSDEEP:3072:69laht5Xel69YGnfxC2WB/bEPcefrKROjibDPxriTa56:ElaZeKFxCnBheIdluu
                                          MD5:351D8E8C804F6C6AAB4C718977B1817D
                                          SHA1:1B680E5E2ED548E5636F9D656C49C87CF9A70DA8
                                          SHA-256:CF584E5132EF3766A088F824BD038494713A7168CDDDD44E3F8C4AD581E2206E
                                          SHA-512:D0613C6B1A72C73013C0519619C557811A1D20FCDDC8361D391A31FC4AA9C70173B907957BABB049067111427A81E48A82E5467A15DAE8BEBB55B048993C93A4
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Package Cache\.unverified\vcRuntimeMinimum_x64 (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433., Template: x64;1033, Revision Number: {A75B920C-55CD-4531-932F-CB4C539C41F8}, Create Time/Date: Tue Oct 29 06:50:14 2024, Last Saved Time/Date: Tue Oct 29 06:50:14 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.367262947705725
                                          Encrypted:false
                                          SSDEEP:3072:b9laht5Xel69YGnfxC2WB/bEPcefrKROjibDPxriTST:5laZeKFxCnBheIdluO
                                          MD5:09042BA0AF85F4873A68326AB0E704AF
                                          SHA1:F08C8F9CB63F89A88F5915E6A889B170CE98F515
                                          SHA-256:47CCEB26DD7B78F0D3D09FDDC419290907FE818979884B2192C834034180E83B
                                          SHA-512:1C9552A8BF478F9EDDE8ED67A8F40584A757C66AAF297609B4F577283469287992C1F84EBE15DF4DF05B0135E4D67C958A912738F4814440F6FD77804A2CFA7D
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\state.rsm

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):740
                                          Entropy (8bit):2.558940503190925
                                          Encrypted:false
                                          SSDEEP:12:TZK34pgMClGttDq+xUFZMAKLhtun2QyRKQ1q+1s3J:9KUgMClc2ZMAKr931W
                                          MD5:AB8254BC1DD0858C590D67936B8EBF6D
                                          SHA1:70464D3CE12EAAB56ADBEFE416DB70ACAC74F7E5
                                          SHA-256:A8431568361FB916037D2266AE764CC31014EB00CF4B49C21DA368395EF3553B
                                          SHA-512:7B2BD2A06186F53704C5B22318B998D549556B7C7A2C6411F6BC719BF9F25A5CA4EE9F7330EA574DD1C77F4C4A3CCF0C4CA9307B0B4EE77AB123BE84A53EDE21
                                          Malicious:false
                                          Reputation:low
                                          Preview:B.......................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.............................W.i.x.B.u.n.d.l.e.N.a.m.e.....<...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.3. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.2...0...4.0.6.6.4.........W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....D...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.i.s.-.M.F.S.7.L...t.m.p.\.v.c.r.e.d.i.s.t._.2.0.1.3._.x.6.4...e.x.e.........................

                                          C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):465992
                                          Entropy (8bit):6.923996733031688
                                          Encrypted:false
                                          SSDEEP:6144:9qIuRebMq5S+Ud8AK+ehB9XgdmAeUBZ2x52OoElZTxPhhQgO1Oi/6xLdowQguVC+:9qIOkU8AMXE9B7PElZlP41v6ro4n+
                                          MD5:3284088A2D414D65E865004FDB641936
                                          SHA1:7F3E9180D9025FC14C8A7868B763B0C3E7A900B4
                                          SHA-256:102F69B5A98352A6A1A6B26BC2C86EE7611C1F45F5A9CA04F5A8841961F191C6
                                          SHA-512:6786FB431ADDF05DF256D0E1383501F96356AA78F66482DB9772C58334AEAD59838ABB7DB0EA793D4A17627A357598266681C28328485489A21BC2985E751B62
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}|~.|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L...B.JT.....................6....................@..........................P......V>....@..................................5..@........9..............x>.......3.. ...............................X...@............................................text...$........................... ..`.rdata..L...........................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....9.......:...N..............@..@.reloc..rD.......F..................@..B................................................................................................................................................................................................................................................

                                          C:\ProgramData\Package Cache\{382F1166-A409-4C5B-9B1E-85ED538B8291}v14.42.34433\packages\vcRuntimeMinimum_amd64\cab1.cab (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Microsoft Cabinet archive data, many, 982083 bytes, 12 files, at 0x44 +A "concrt140.dll_amd64" +A "msvcp140.dll_amd64", flags 0x4, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):992435
                                          Entropy (8bit):7.996227359354833
                                          Encrypted:true
                                          SSDEEP:24576:0XKN4iOeSkepkozuJaPx/fmr2MFZ3bqN0+djTVxvdIoBQVHzo:0anOekp+aPx/fmKM7V+djpldVn
                                          MD5:8C302E40FBF614896BA36A75F3F8977E
                                          SHA1:991AF1495F7783173D0C5691BE38FF8648F2DF12
                                          SHA-256:B384B812DC59C2081CEE080EA6BBA748E02ECF3C0800D8DCAF9607A20A4F3290
                                          SHA-512:53B1D7D8AB495931F50B5D815AFE04D52F9E0BBAFA0A5F3E4F6605B6E4F2A85C583ABF9014DEC41481439827BB6BAB23AC439D4FD7D0C3F191F21B2BF5AFB11D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF....C.......D...........................C...p(..............K...P.........]Y.- .concrt140.dll_amd64.h...P.....]Y.- .msvcp140.dll_amd64.h.........]Y.- .msvcp140_1.dll_amd64.h... A....]Y.- .msvcp140_2.dll_amd64.P....W....]Y.- .msvcp140_atomic_wait.dll_amd64.P|........]Y.- .msvcp140_codecvt_ids.dll_amd64.P<..(.....]Y.- .vcamp140.dll_amd64.P^..x.....]Y.- .vccorlib140.dll_amd64.h....2....]Y.- .vcomp140.dll_amd64.p...0!"...]Y.- .vcruntime140.dll_amd64.P.....#...]Y.- .vcruntime140_1.dll_amd64.h....$...]Y.- .vcruntime140_threads.dll_amd64...r.:3..CK.[}\Te..3..H*cI.n.kT,.hY...A ...L-JML.5%......N.Y...~YXV.m..V.X...(o...R.u.[I..B/..<.sg.......7.f..s...s.9.y..>.^...A._.K....1.].Z.....}..j..kRj.N.7?..d..%3.6..h.b...9.%9.L.....&..^<{Nt.>...G.7.7...|...*8o<l.Wm.....V...k..u.X..B.Ayf...i.6$.B.7..VO...?k..U0.'........W..c..&m.{.:. 4h.9c....n.=..p*.6....O....1z.cf.B.l..... .w*......x.Nh......=...tBz:l.:!.......:...A.Y.:..bt........l...u..o....%.gZg.B%.P..x.6j.e._4.&l..?(........b...

                                          C:\ProgramData\Package Cache\{382F1166-A409-4C5B-9B1E-85ED538B8291}v14.42.34433\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433., Template: x64;1033, Revision Number: {A75B920C-55CD-4531-932F-CB4C539C41F8}, Create Time/Date: Tue Oct 29 06:50:14 2024, Last Saved Time/Date: Tue Oct 29 06:50:14 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.367262947705725
                                          Encrypted:false
                                          SSDEEP:3072:b9laht5Xel69YGnfxC2WB/bEPcefrKROjibDPxriTST:5laZeKFxCnBheIdluO
                                          MD5:09042BA0AF85F4873A68326AB0E704AF
                                          SHA1:F08C8F9CB63F89A88F5915E6A889B170CE98F515
                                          SHA-256:47CCEB26DD7B78F0D3D09FDDC419290907FE818979884B2192C834034180E83B
                                          SHA-512:1C9552A8BF478F9EDDE8ED67A8F40584A757C66AAF297609B4F577283469287992C1F84EBE15DF4DF05B0135E4D67C958A912738F4814440F6FD77804A2CFA7D
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):686136
                                          Entropy (8bit):7.251009602832873
                                          Encrypted:false
                                          SSDEEP:12288:V3mgqnIZuYfCYqFet4CovkM7ty1nEiHrfDDIcbMZ3Myf:V3WnIZuMCxezot7ghHLfDBMZ8yf
                                          MD5:3F32F1A9BD60AE065B89C2223676592E
                                          SHA1:9D386D394DB87F1EE41252CAC863C80F1C8D6B8B
                                          SHA-256:270FA05033B8B9455BD0D38924B1F1F3E4D3E32565DA263209D1F9698EFFBC05
                                          SHA-512:BDDFEAB33A03B0F37CFF9008815E2900CC96BDDAF763007E5F7FDFFD80E56719B81341029431BD9D25C8E74123C1D9CDA0F2AEFAFDC4937095D595093DB823DF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@..................................(....@............................................T;...........O...(...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...T;.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                          C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\state.rsm

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):980
                                          Entropy (8bit):2.628238888279432
                                          Encrypted:false
                                          SSDEEP:12:UZK34pgMClGttDa+xU9TbWAttun2QX2RKQ1qKh6un2QXJRKQ1qi:OKUgMClccTbx9Nz9
                                          MD5:BA261C4958F738AD2104960A37A67061
                                          SHA1:C2AFAADFE5B3EB064DB40C88C537505D3749C60D
                                          SHA-256:A4EA3B240640EBA0A8133600F14219A63E3F240112B614EE358745C437060268
                                          SHA-512:AEC9E09A25A01655509A8A80360D0D03A7B8303E405F6BC21ACB2CE81D310C6946C7554AD8924AB5CD237D9A444BE229401C0717AC007438DDBFF2014DD64AF2
                                          Malicious:false
                                          Reputation:low
                                          Preview:O...............................................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.................................W.i.x.B.u.n.d.l.e.N.a.m.e.....B...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.2.2. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...4.2...3.4.4.3.3.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....@...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.i.s.-.M.F.S.7.L...t.m.p.\.V.C._.r.e.d.i.s.t...x.6.4...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r...../...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.i.s.-.M.F.S.7.L...t.m.p.\.....................................

                                          C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\state.rsm

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):860
                                          Entropy (8bit):2.5622574762223893
                                          Encrypted:false
                                          SSDEEP:12:2ZZK34pgMClGttD6+xU9TMmwzttun2Qk336un2QAO3f:GKUgMClccTZyUO
                                          MD5:9BA32203A21BB0583763AB40DA877C09
                                          SHA1:A339764C730E0E6E107F06CE6CA9FFC79B48E72B
                                          SHA-256:D52C12100BD9F419ECC7D49DD8B7203682F6F96AF23B5D049D18804439FA86DB
                                          SHA-512:D59969326B6CA7F6372C1145605CEE03FDAA5FEE71D6D0AF9DDDD07E92A107FB9A1E0EF94A5D7F5FA929FF6D37C94E9B64FDF5BA08E1C8C03D71E6F604FA7034
                                          Malicious:false
                                          Reputation:low
                                          Preview:G...................................................................................................................................................................................................................................................W.i.x.B.u.n.d.l.e.F.o.r.c.e.d.R.e.s.t.a.r.t.P.a.c.k.a.g.e.....................W.i.x.B.u.n.d.l.e.L.a.s.t.U.s.e.d.S.o.u.r.c.e.........................W.i.x.B.u.n.d.l.e.N.a.m.e.....B...M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.2.2. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...3.6...3.2.5.3.2.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.....*...C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.o.w.n.l.o.a.d.s.\.V.C._.r.e.d.i.s.t...x.6.4...e.x.e.............W.i.x.B.u.n.d.l.e.O.r.i.g.i.n.a.l.S.o.u.r.c.e.F.o.l.d.e.r.........C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.D.o.w.n.l.o.a.d.s.\.........................

                                          C:\ProgramData\Package Cache\{E1902FC6-C423-4719-AB8A-AC7B2694B367}v14.42.34433\packages\vcRuntimeAdditional_amd64\cab1.cab (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Microsoft Cabinet archive data, many, 5691140 bytes, 14 files, at 0x44 +A "mfc140.dll_amd64" +A "mfc140chs.dll_amd64", flags 0x4, number 1, extra bytes 20 in head, 371 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):5701492
                                          Entropy (8bit):7.997611715541784
                                          Encrypted:true
                                          SSDEEP:98304:ioVBFuv0iAVyX/zW61ZFQZU+mnVZ8QOFkvpW1rSFYK8mQxqrobR1cV:5V+vNLBsZU+mnVIFMW1rgi+c0V
                                          MD5:5866203168B27F18C1B47ABFA6823E02
                                          SHA1:3B696BE0A4CF750965D74263E43B8E302CB1B318
                                          SHA-256:7D48E0905EBEA9B14A07CFF687705DFDC50D795CD4C32E5ED87A0E344884B430
                                          SHA-512:037F793F60BE84F1DA005D47E21783E719A85B5C12C4D20050AD9D3254AC99BA8EB30B4B1378BAC69379DBC659427DC1AE4A19062ECD337D47D480D047AFB669
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF......V.....D.............................V.p(..........4...s...P.U.......]Y.- .mfc140.dll_amd64.h...P.U...]Y.- .mfc140chs.dll_amd64.P.....V...]Y.- .mfc140cht.dll_amd64.h8...]W...]Y.- .mfc140deu.dll_amd64.p...p.X...]Y.- .mfc140enu.dll_amd64.h4...Y...]Y.- .mfc140esn.dll_amd64.h8..H.Z...]Y.- .mfc140fra.dll_amd64.p0....\...]Y.- .mfc140ita.dll_amd64.P... E]...]Y.- .mfc140jpn.dll_amd64.h...p+^...]Y.- .mfc140kor.dll_amd64.P(...._...]Y.- .mfc140rus.dll_amd64.PVV.(8`...]Y.- .mfc140u.dll_amd64..x..x.....]Y.- .mfcm140.dll_amd64..x........]Y.- .mfcm140u.dll_amd64.'..|.6..CK.:{|Se._.M[..4XD....)..........-R..V^....,..@iK...g.]........Y.....-.i+o..D.-7.G..)(w.9_nnn.......{.w.w^.y}.....Y,c,.~d......_...c,..T.#.H...#}'..4cq...J.d..,\.....2..y.3.c..X.h...$s...V.d....)?.G.e...B.y1s.<W.q.{../.^.\N..+..5s&..d;._"..rofJ;.y%.I.w.......2....E...X<..Y.M`.o..W..X....'X[...h..qxO..j....1...#..'w.$rv..I...6e.......Yg...)`.Q@.p6..M x..6......a./.X.".K.;.-.{.g.fV].. ...Xz.3l...<.1....

                                          C:\ProgramData\Package Cache\{E1902FC6-C423-4719-AB8A-AC7B2694B367}v14.42.34433\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi (copy)

                                          Download File
                                          Process:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433., Template: x64;1033, Revision Number: {E04E511C-7D1F-4263-AB6A-F816392FD4D7}, Create Time/Date: Tue Oct 29 06:55:02 2024, Last Saved Time/Date: Tue Oct 29 06:55:02 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.372377887079137
                                          Encrypted:false
                                          SSDEEP:3072:69laht5Xel69YGnfxC2WB/bEPcefrKROjibDPxriTa56:ElaZeKFxCnBheIdluu
                                          MD5:351D8E8C804F6C6AAB4C718977B1817D
                                          SHA1:1B680E5E2ED548E5636F9D656C49C87CF9A70DA8
                                          SHA-256:CF584E5132EF3766A088F824BD038494713A7168CDDDD44E3F8C4AD581E2206E
                                          SHA-512:D0613C6B1A72C73013C0519619C557811A1D20FCDDC8361D391A31FC4AA9C70173B907957BABB049067111427A81E48A82E5467A15DAE8BEBB55B048993C93A4
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\Public\Desktop\CloudCompare.lnk

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Mon Jan 13 06:03:09 2025, mtime=Mon Jan 13 06:03:32 2025, atime=Sun Jan 12 03:09:44 2025, length=3778688, window=hide
                                          Category:dropped
                                          Size (bytes):901
                                          Entropy (8bit):4.54311665446771
                                          Encrypted:false
                                          SSDEEP:24:8msPbXfTAQbdc+tJrKfUUAWdKGYGMdKGpbvNZBm:8mIXLvbdcCJrAUjWdzFMdzpDNH
                                          MD5:55F76EDF4F5422C7B7955AB4A89B3B1D
                                          SHA1:06949686523056D2BDBC1082CDA080FCFEB03D27
                                          SHA-256:A1E8F499B0AF8B895499950FBADE243566243F691D2A9CB17EEAF075A975FFE5
                                          SHA-512:B4D0ACC3AFA5775B88D97ABFDE857FEB5872871B918A520BC436CF9CE53126072C87505B5AFB154B878DB7F6EE49D71F780464AE81D4156B5F933E6D38D19416
                                          Malicious:false
                                          Reputation:low
                                          Preview:L..................F.... ....4.4.e...F.A.e...tn.d....9..........................P.O. .:i.....+00.../C:\.....................1.....-Ze8..PROGRA~1..t......O.I-Zq8....B...............J.......F.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....b.1.....-Zp8..CLOUDC~1..J......-Ze8-Zq8...........................)..C.l.o.u.d.C.o.m.p.a.r.e.....n.2...9.,Z6! .CLOUDC~1.EXE..R......-Ze8-Zh8..............................C.l.o.u.d.C.o.m.p.a.r.e...e.x.e.......]...............-.......\............+.0.....C:\Program Files\CloudCompare\CloudCompare.exe..4.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.o.u.d.C.o.m.p.a.r.e.\.C.l.o.u.d.C.o.m.p.a.r.e...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.C.l.o.u.d.C.o.m.p.a.r.e.`.......X.......849224...........hT..CrF.f4... ....i|....,.......hT..CrF.f4... ....i|....,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020332.log

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:ASCII text, with very long lines (323), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):9208
                                          Entropy (8bit):5.5017885838273015
                                          Encrypted:false
                                          SSDEEP:192:LiVHyEY9lJlYOxvjNjU/Ae8rr9cnKOlVr:LiVHyEY9Bxvhgbo9cnKUVr
                                          MD5:7EFBC11F2A51CFF1BF6C6C315618C26C
                                          SHA1:4A66295AF97E28C9C0352DB2B11AEC6CCF1F5C23
                                          SHA-256:D2D9BE1C8D1B5029AF0C790A529A1C1BBCCDFECE6F3842A90CBE179E30007F89
                                          SHA-512:133294A1BFEE6A614441B2024B4F348751C26209CA2919CA00A7900E75917BF40AB449B956A431E7F635757559A86D27F6729B4554CD03C685220DB01F796189
                                          Malicious:false
                                          Reputation:low
                                          Preview:[0ED0:1600][2025-01-13T02:03:32]i001: Burn v3.7.3424.0, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe, cmdline: '/install /quiet /norestart -burn.unelevated BurnPipe.{52F10DF7-B7C8-4B5E-AFC8-2BA7C00A35CC} {589A9A7F-E5FB-4992-ADCC-7C833A7A6873} 1628'..[0ED0:1600][2025-01-13T02:03:32]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020332.log'..[0ED0:1600][2025-01-13T02:03:32]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe'..[0ED0:1600][2025-01-13T02:03:32]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\'..[0ED0:1600][2025-01-13T02:03:32]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.40664'..[0ED0:1600][2025-01-13T02:03:33]i100: Det

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020332_000_vcRuntimeMinimum_x64.log

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (588), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):180596
                                          Entropy (8bit):3.796549490694057
                                          Encrypted:false
                                          SSDEEP:1536:zRmtPYgIWUjtwE12bAqkX/xoiBZbDwqyykr96Ux5ZiqTdH3tHwT/TfHZA5E7uGm0:zC7j7BttttydzvcbDJ7U
                                          MD5:AD5BA86C7B1CD42CA052FD083FA581A9
                                          SHA1:07793974959EF000BD69B4304997DB2021C7E95B
                                          SHA-256:05E0E56D0633EF30128107028D86134C6E189B20C355C7AFBFAC721F068FD793
                                          SHA-512:7D55DE4E3CBC1059E9BACD926515CB9DE8E888D6C423F196E41657A207BF6455077C44E5EEE92CAD31E523444E9A01D3F8DFC5CB5BEC0090128F247460E59D47
                                          Malicious:false
                                          Reputation:low
                                          Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.3./.0.1./.2.0.2.5. . .0.2.:.0.3.:.4.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.i.s.-.M.F.S.7.L...t.m.p.\.v.c.r.e.d.i.s.t._.2.0.1.3._.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.5.C.:.4.C.). .[.0.2.:.0.3.:.4.7.:.1.6.9.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.5.C.:.4.C.). .[.0.2.:.0.3.:.4.7.:.1.6.9.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.5.C.:.4.C.). .[.0.2.:.0.3.:.4.7.:.1.6.9.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.5.3.C.F.6.9.3.4.-.A.9.8.D.-.3.D.8.4.-.9.1.4.6.-.F.C.4.E.D.F.3.D.5.6.4.1.}.v.1.2...0...4.0.6.6.4.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.M.i.n.i.m.u.m._.a.

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020332_001_vcRuntimeAdditional_x64.log

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (588), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):203430
                                          Entropy (8bit):3.8023422926390174
                                          Encrypted:false
                                          SSDEEP:3072:/x8jGaUuuuuuuuuuuu4iQLm+yoxCL3LmqyT9zOG:ij8
                                          MD5:88BA4F5D24D277680316AFD295B3953F
                                          SHA1:30F8D7D516C841C058395BA258C299D364D5DAF8
                                          SHA-256:344A6299548669890A2FE4C3035FA43121DDBEAFA2755FD0A7F293D3FD2B02AE
                                          SHA-512:0554E9E822CFE2431F342E98DA04138D8EA1C062B57FA1CB12626B8C48B1449DD87FC3649B76D90B3CA591B108E6D025E85B66A21E103626E041C8B899968F23
                                          Malicious:false
                                          Reputation:low
                                          Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.3./.0.1./.2.0.2.5. . .0.2.:.0.3.:.4.9. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.i.s.-.M.F.S.7.L...t.m.p.\.v.c.r.e.d.i.s.t._.2.0.1.3._.x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.5.C.:.9.8.). .[.0.2.:.0.3.:.4.9.:.0.2.8.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.5.C.:.9.8.). .[.0.2.:.0.3.:.4.9.:.0.2.8.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.5.C.:.9.8.). .[.0.2.:.0.3.:.4.9.:.0.2.8.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.0.1.0.7.9.2.B.A.-.5.5.1.A.-.3.A.C.0.-.A.7.E.F.-.0.F.A.B.4.1.5.6.C.3.8.2.}.v.1.2...0...4.0.6.6.4.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.A.d.d.i.t.i.o.n.a.

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020353.log

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:ASCII text, with very long lines (438), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):18997
                                          Entropy (8bit):5.502268059759995
                                          Encrypted:false
                                          SSDEEP:192:aradcTGEHOnQ10161h1V1y1I1X1JAtrRye1gHVvwzjNj+4Lh+J2VPRWf8mnE8c4L:aOdcTG1zrRye1uwzhy4LbfyZhwuP
                                          MD5:979AB3C24746E236081D0B93583CF345
                                          SHA1:5CFD572B41269981A1E20823BA34118AE2A5C3C2
                                          SHA-256:99CC17480A403469735B4AC79FCAB992FED42244BF2F12D8ADA5D8496C8884D0
                                          SHA-512:161938333C7B17B63BEF3B313EC85275880F09532836BA34904E5C2C523478DC35B4EB13234008D1A6231437AC5502565FC9B1B24F058D052888D19A29C44533
                                          Malicious:false
                                          Reputation:low
                                          Preview:[0490:09B8][2025-01-13T02:03:52]i001: Burn v3.14.1.8722, Windows v10.0 (Build 19045: Service Pack 0), path: C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe..[0490:09B8][2025-01-13T02:03:52]i009: Command Line: '-burn.clean.room=C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe -burn.filehandle.attached=528 -burn.filehandle.self=684 /install /quiet /norestart'..[0490:09B8][2025-01-13T02:03:52]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe'..[0490:09B8][2025-01-13T02:03:52]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\'..[0490:09B8][2025-01-13T02:03:53]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020353.log'..[0490:09B8][2025-01-13T02:03:53]i000: Setting string variable 'WixBundleName' to value 'Microsoft Visual C++ 2015-2

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020353_000_vcRuntimeMinimum_x64.log

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):255438
                                          Entropy (8bit):3.820937049715889
                                          Encrypted:false
                                          SSDEEP:3072:ZYEX/UjjW6666666666DErYj3mCCCCCCCzzzzYxZrRNv19LeWvC2A:ejSj9
                                          MD5:D23889592D5D91287776E9FFC0955961
                                          SHA1:C7379664F1D33092CE497830899AB5DA4C176032
                                          SHA-256:27855C4C2942B5D2FA2E736D2BA6D3E8747CE48E7A046024FE5CEDFAC6AB35F9
                                          SHA-512:378E43D78178F1DB9A228480D64949370A4D415B0043476BF72ACFD7036922DFD07D1FDFE3535FAAFAAA1D1047397DFDF421AFF8BCA9079FBECB673DAE97D9AF
                                          Malicious:false
                                          Reputation:low
                                          Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.3./.0.1./.2.0.2.5. . .0.2.:.0.4.:.0.7. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.9.E.D.1.A.8.B.2.-.0.7.C.2.-.4.2.9.C.-.8.5.C.4.-.B.0.5.A.4.2.4.9.1.C.C.0.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.0.C.:.7.C.). .[.0.2.:.0.4.:.0.7.:.5.8.3.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.0.C.:.7.C.). .[.0.2.:.0.4.:.0.7.:.5.8.3.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.0.C.:.7.C.). .[.0.2.:.0.4.:.0.7.:.5.8.3.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.3.8.2.F.1.1.6.6.-.A.4.0.9.-.4.C.5.B.-.9.B.1.E.-.8.5.E.D.5.3.8.B.8.2.9.1.}.v.1.4...4.2...3.4.4.3.3.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020353_001_vcRuntimeAdditional_x64.log

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):246934
                                          Entropy (8bit):3.824392858893819
                                          Encrypted:false
                                          SSDEEP:3072:8l3R3ojAGOufffffllllllllENdKWjP3xooooooooooooo8KPv/FsBH2u0PcVDiz:PjIj+
                                          MD5:C1A8226348E2AE1E8B69B75261FBE1C2
                                          SHA1:F402153E3DDD765EB284E63CC50390092747A002
                                          SHA-256:BF1F8584A7BE93B483D1D52A969AB1447FBB42D2C810235419D51330D9F6A979
                                          SHA-512:9B66E70D136DBB9B7F584532041F48972CD949B251C2C4798833F8D44C3447FFFFF4F71654144CEE6100A0F191EA368AE43156A98E2B2AC77A420503A5A88E04
                                          Malicious:false
                                          Reputation:low
                                          Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.3./.0.1./.2.0.2.5. . .0.2.:.0.4.:.0.9. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.T.e.m.p.\.{.9.E.D.1.A.8.B.2.-.0.7.C.2.-.4.2.9.C.-.8.5.C.4.-.B.0.5.A.4.2.4.9.1.C.C.0.}.\...b.e.\.V.C._.r.e.d.i.s.t...x.6.4...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.0.C.:.C.C.). .[.0.2.:.0.4.:.0.9.:.9.4.2.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.0.C.:.C.C.). .[.0.2.:.0.4.:.0.9.:.9.4.2.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.0.C.:.C.C.). .[.0.2.:.0.4.:.0.9.:.9.4.2.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.P.a.c.k.a.g.e. .C.a.c.h.e.\.{.E.1.9.0.2.F.C.6.-.C.4.2.3.-.4.7.1.9.-.A.B.8.A.-.A.C.7.B.2.6.9.4.B.3.6.7.}.v.1.4...4.2...3.4.4.3.3.\.p.a.c.k.a.g.e.s.\.v.c.R.u.n.t.i.m.e.

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020403.log

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):865
                                          Entropy (8bit):5.34123175481614
                                          Encrypted:false
                                          SSDEEP:24:JhbeLLzAHGhKW7cP2UfkNEW12DXemK+aDVDmK+aBtRNEWZc:JhbYJuhkqg26ZJhDZJAWa
                                          MD5:04968602486879B226E9BDE34FB7227D
                                          SHA1:5A942B4DBF1C269FA5A3028675A05992ADF606DC
                                          SHA-256:8F2EB9E958A3E0656197E8DCE9C3C0BB08AB87763F2B5419D88D15371C59ED28
                                          SHA-512:B9947702A2849B00BA4CECFF5DD864EC2228A9BEF82E88A8A46E413508CAA0A63D340B33EBB799BCBFA8203325F6FD1CD4A5EB29BAC2619BAA0C2BAFE0353AAF
                                          Malicious:false
                                          Reputation:low
                                          Preview:[0DB8:1460][2025-01-13T02:04:02]i001: Burn v3.7.3424.0, Windows v10.0 (Build 19045: Service Pack 0), path: C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe, cmdline: ''..[0DB8:1460][2025-01-13T02:04:03]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020403.log'..[0DB8:1460][2025-01-13T02:04:03]i100: Detect begin, 2 packages..[0DB8:1460][2025-01-13T02:04:03]i101: Detected package: vcRuntimeMinimum_x64, state: Present, cached: Complete..[0DB8:1460][2025-01-13T02:04:03]i101: Detected package: vcRuntimeAdditional_x64, state: Present, cached: Complete..[0DB8:1460][2025-01-13T02:04:03]i052: Condition 'VersionNT64 >= v6.0 OR (VersionNT64 = v5.2 AND ServicePackLevel >= 1)' evaluates to true...[0DB8:1460][2025-01-13T02:04:03]i199: Detect complete, result: 0x0..

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020414.log

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:ASCII text, with very long lines (443), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):13161
                                          Entropy (8bit):5.430037391365712
                                          Encrypted:false
                                          SSDEEP:192:7QTHpxnWb1B1P1U1o13111S1Bu9umX2fgrKGZxeLAI:7w/ZLfgrKVLJ
                                          MD5:D569972A287ADC90054A87D26EBC219A
                                          SHA1:5D54A4B82A5B0E0723584095CEE1583F148208B3
                                          SHA-256:4195960800D066E23BAFAE8D6EA3F740947C59798DF855F5354886583105131C
                                          SHA-512:A899994E1253266C5CF4FBDD68B94A19F4745705BF92F83D8037130481A735DF18B07DBEB35C6D2D15BF13B4262A1D45150394742008358B9F345C55E9855D4D
                                          Malicious:false
                                          Reputation:low
                                          Preview:[159C:053C][2025-01-13T02:04:13]i001: Burn v3.10.4.4718, Windows v10.0 (Build 19045: Service Pack 0), path: C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe..[159C:053C][2025-01-13T02:04:13]i003: This bundle is being run by a related bundle as type 'Upgrade'...[159C:053C][2025-01-13T02:04:13]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156'..[159C:053C][2025-01-13T02:04:14]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020414.log'..[159C:053C][2025-01-13T02:04:14]i000: Setting string variable 'WixBundleManufacturer' to value 'M

                                          C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020419.log

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3982
                                          Entropy (8bit):5.4398287026658645
                                          Encrypted:false
                                          SSDEEP:96:bThD2ea5nBT1ow1o+1ot1oJ1oO1o81oj1dYq1DZ1y01WYLz4wm:PHa5nt1h1v101I1X1V1y18
                                          MD5:8CEB820108E2A24B28D71BA4A40A7FF8
                                          SHA1:504074C87E1C021E013B2E71BEE70E734A666047
                                          SHA-256:2634DA5506B3E6E019F7B2D439B75C65F17CBDDC10E1C68483C211B9C88D7217
                                          SHA-512:4C2081941B00DF1D6BC4460E6276AC7B9AA24492ED0FDA3804A60FD66D70243CBACD82080200A9F113B7EDB7D3426E77DCD83B2C02DDF3054E18ACC0EFB12C8B
                                          Malicious:false
                                          Reputation:low
                                          Preview:[06B0:1478][2025-01-13T02:04:18]i001: Burn v3.14.1.8722, Windows v10.0 (Build 19045: Service Pack 0), path: C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe..[06B0:1478][2025-01-13T02:04:18]i009: Command Line: '"-burn.clean.room=C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=560'..[06B0:1478][2025-01-13T02:04:19]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\dd_vcredist_amd64_20250113020419.log'..[06B0:1478][2025-01-13T02:04:19]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'..[06B0:0F78][2025-01-13T02:04:19]i000: Setting version variable 'WixBundleFileVersion' to value '14.42.34433.0'..[06B0:1478][2025-01-13T02:04:19]i100: Detect begin, 11 packages..[06B0:1478][2025-01-13T02:04:19]i000: Setting string variable 'Arm64_Check' to value 'AMD64'..[06B0:1478][2025-01-13T02:04:19]i000:

                                          C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):3024000
                                          Entropy (8bit):6.401341683892991
                                          Encrypted:false
                                          SSDEEP:49152:gLJwSihjOb6GLb4SKEs3DyOMC2DlUt0+yO3A32ASNTvuS:cwSi0b67zeCzt0+yO3kS/
                                          MD5:CA9D0BC1FC3C0AEBE22047A2DCBCD715
                                          SHA1:8DF8054C0F3A9969493D74001AE6C6815090BB48
                                          SHA-256:69FEBFE8BB5D272CE0A488B1C4C7BF2C3CEAD22410F7E907681635DDD910EF42
                                          SHA-512:75D8B8811B736C6AF7802194508979209E34B6357662902456687E83FE348DE422B37A96A52B336448B9EE22F1B43D7C7B7266F67D9000B663F24CFE989F81AE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...p.._.................$,.........P6,......@,...@.......................................@......@....................-......`-.49....-...............-..&....................................-......................i-.......-......................text...P.+.......+................. ..`.itext..t(....,..*....+............. ..`.data.......@,......(,.............@....bss.....x....,..........................idata..49...`-..:....,.............@....didata.......-.......,.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@......................-.............@..@........................................................

                                          C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):25640112
                                          Entropy (8bit):7.996901368935702
                                          Encrypted:true
                                          SSDEEP:786432:tJJpx5hYBug51Mn8li64kgE1HeaPdjMDL1JZ:tpx56Bu61AH64kgsP2h
                                          MD5:223A76CD5AB9E42A5C55731154B85627
                                          SHA1:38B647D37B42378222856972A1E22FBD8CF4B404
                                          SHA-256:1821577409C35B2B9505AC833E246376CC68A8262972100444010B57226F0940
                                          SHA-512:20E2D7437367CB262CE45184EB4D809249FE654AA450D226E376D4057C00B58ECFD8834A8B5153EB148960FFC845BED1F0943D5FF9A6FC1355B1503138562D8D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@.................................v....@............................................T;...............(...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...T;.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\_isetup\_setup64.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):6144
                                          Entropy (8bit):4.720366600008286
                                          Encrypted:false
                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\is-60BAL.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):25640112
                                          Entropy (8bit):7.996901368935702
                                          Encrypted:true
                                          SSDEEP:786432:tJJpx5hYBug51Mn8li64kgE1HeaPdjMDL1JZ:tpx56Bu61AH64kgsP2h
                                          MD5:223A76CD5AB9E42A5C55731154B85627
                                          SHA1:38B647D37B42378222856972A1E22FBD8CF4B404
                                          SHA-256:1821577409C35B2B9505AC833E246376CC68A8262972100444010B57226F0940
                                          SHA-512:20E2D7437367CB262CE45184EB4D809249FE654AA450D226E376D4057C00B58ECFD8834A8B5153EB148960FFC845BED1F0943D5FF9A6FC1355B1503138562D8D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@.................................v....@............................................T;...............(...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...T;.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\is-SG37E.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):7200744
                                          Entropy (8bit):7.988821702604525
                                          Encrypted:false
                                          SSDEEP:196608:bPwMcp4zKAKpCPhD5nsF5GBAiSG5VtJFeHi:0McAWKJsF5vib5VtTeC
                                          MD5:49B1164F8E95EC6409EA83CDB352D8DA
                                          SHA1:1194E6BF4153FA88F20B2A70AC15BC359ADA4EE2
                                          SHA-256:A4BBA7701E355AE29C403431F871A537897C363E215CAFE706615E270984F17C
                                          SHA-512:29B65E45CE5233F5AD480673752529026F59A760466A1026BB92FC78D1CCC82396ECB8F07B0E49C9B2315DBEF976CB417273C77F4209475036775FE687DD2D60
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}|~.|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L...B.JT.....................6....................@..........................P........n...@..................................5..@........9..........p.m.x>.......3.. ...............................X...@............................................text...$........................... ..`.rdata..L...........................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....9.......:...N..............@..@.reloc..rD.......F..................@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe (copy)

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):7200744
                                          Entropy (8bit):7.988821702604525
                                          Encrypted:false
                                          SSDEEP:196608:bPwMcp4zKAKpCPhD5nsF5GBAiSG5VtJFeHi:0McAWKJsF5vib5VtTeC
                                          MD5:49B1164F8E95EC6409EA83CDB352D8DA
                                          SHA1:1194E6BF4153FA88F20B2A70AC15BC359ADA4EE2
                                          SHA-256:A4BBA7701E355AE29C403431F871A537897C363E215CAFE706615E270984F17C
                                          SHA-512:29B65E45CE5233F5AD480673752529026F59A760466A1026BB92FC78D1CCC82396ECB8F07B0E49C9B2315DBEF976CB417273C77F4209475036775FE687DD2D60
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}|~.|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L...B.JT.....................6....................@..........................P........n...@..................................5..@........9..........p.m.x>.......3.. ...............................X...@............................................text...$........................... ..`.rdata..L...........................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....9.......:...N..............@..@.reloc..rD.......F..................@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\BootstrapperApplicationData.xml

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (561), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):5906
                                          Entropy (8bit):3.743221900318535
                                          Encrypted:false
                                          SSDEEP:96:X0eVJbgV2VBLHeBvn6yeZqCE0wLycujEn6qLUemcmqpq0wMLrycNLchtrtvRtrti:X001Ks1Up2lpJwxLURf6zLG0LcFlBL5+
                                          MD5:D1439B6CFE105425BCCE1A81954B3417
                                          SHA1:288E59BD999DCFED5C4C746C1992CFC9BB5F2380
                                          SHA-256:3AE340BEC4FB68B477F34DBEADAF8CF3EA95550E427A3BB84994B5806485B5B3
                                          SHA-512:868A9C1706B967F532039F9413BBDE8BA0FCA5CF76915334C1A1BE7D0513D3815F506A766183D85D3595AF2B4928CF5F3AD16703D20B2A5CAA9C9C47B4880086
                                          Malicious:false
                                          Reputation:low
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.U.x.B.l.o.c.k.e.r. .S.h.o.r.t.N.a.m.e.=.".M.i.n.i.m.u.m.O.S.L.e.v.e.l.". .T.y.p.e.=.".S.t.o.p.". .C.o.n.d.i.t.i.o.n.=.".N.O.T.(.(.V.e.r.s.i.o.n.N.T. .&.g.t.;. .v.6...1.). .O.R. .(.V.e.r.s.i.o.n.N.T. .=. .v.6...1. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).).". .D.i.s.p.l.a.y.T.e.x.t.=.".#.l.o.c...M.i.n.i.m.u.m.O.S.L.e.v.e.l.". ./.>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T.6.4. .&.g.t.;.=. .v.6...0. .O.R. .(.V.e.r.s.i.o.n.N.T.6.4. .=. .v.5...2. .A.N.D. .S.e.r.v.i.c.e.P.a.c.k.L.e.v.e.l. .&.g.t.;.=. .1.).". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .X.P. .S.P.1. .(.

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtf

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):6841
                                          Entropy (8bit):5.231818976502303
                                          Encrypted:false
                                          SSDEEP:192:qMIJdg+CSWA2NLtMqAEwRceNlC8xiYOlTGyDtsFSpM52:IIATECl1i95Zw2
                                          MD5:1E47EE7B71B22488068343DF4CE30534
                                          SHA1:DEAEE13F21AB70B57F44F0AA3128EC7AD9E3816A
                                          SHA-256:8518F0420972C1DBE8A323FFC6F57863AF0B80C6A3B27FD0C6FC9BDABB7E2D13
                                          SHA-512:C4C653BFD1FC493B0EFD8F9C75495287818179DC35969D1FB1927FAAC3FF9189FDE1131C5ABBCC3963F707412A7F8AD05A9E6855B7D47D6DF1F80D25D67BE9ED
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033\deflangfe1033{\fonttbl{\f0\fswiss\fprq2\fcharset0 Tahoma;}{\f1\froman\fprq2\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 6.2.9200}{\*\mmathPr\mnaryLim0\mdispDef1\mwrapIndent1440 }\viewkind4\uc1 ..\pard\nowidctlpar\sb120\sa120\b\f0\fs20 MICROSOFT SOFTWARE LICENSE TERMS\par....\pard\brdrb\brdrs\brdrw10\brsp20 \nowidctlpar\sb120\sa120 MICROSOFT VISUAL C++ REDISTRIBUTABLE FOR VISUAL STUDIO 2013 \par....\pard\nowidctlpar\sb120\sa120\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. Please read them. They apply to the software named above, which includes the media on which you received it, if any. The terms also apply to any Microsoft\par....\pard\nowidctlpar\fi-360\li360\sb120\sa120\f1\'b7\tab\f0 updates,\par..\f1\'b7\tab\f0 supplements,\par..\f1\'b7\tab\f0 Internet-based services, and\par..\f1\'b7\tab\f0 support services\pa

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\logo.png

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                                          Category:dropped
                                          Size (bytes):1861
                                          Entropy (8bit):6.868587546770907
                                          Encrypted:false
                                          SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
                                          MD5:D6BD210F227442B3362493D046CEA233
                                          SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                                          SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                                          SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                                          Malicious:false
                                          Reputation:low
                                          Preview:.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\thm.wxl

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2952
                                          Entropy (8bit):5.052095286906672
                                          Encrypted:false
                                          SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
                                          MD5:FBFCBC4DACC566A3C426F43CE10907B6
                                          SHA1:63C45F9A771161740E100FAF710F30EED017D723
                                          SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                                          SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\thm.xml

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):5881
                                          Entropy (8bit):5.175177119212422
                                          Encrypted:false
                                          SSDEEP:96:wHdQG+3VzHfz96zYFJKFBiUxn7s82rf3nswO:wHAz8
                                          MD5:0056F10A42638EA8B4BEFC614741DDD6
                                          SHA1:61D488CFBEA063E028A947CB1610EE372D873C9F
                                          SHA-256:6B1BA0DEA830E556A58C883290FAA5D49C064E546CBFCD0451596A10CC693F87
                                          SHA-512:5764EC92F65ACC4EBE4DE1E2B58B8817E81E0A6BC2F6E451317347E28D66E1E6A3773D7F18BE067BBB2CB52EF1FA267754AD2BF2529286CF53730A03409D398E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Height="64" FontId="1" Visible="yes" DisablePrefix="yes">#(loc.Title)</Text>.... <Page Name="Help">.. <Text X="11" Y="80" Width="-11" Height="30" FontId="2" DisablePrefix="yes">#(loc.HelpHeader)</T

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\wixstdba.dll

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):120320
                                          Entropy (8bit):6.262646414883502
                                          Encrypted:false
                                          SSDEEP:1536:hwWD51FEDj4FBanDsDS7uO+Y3HBfPGST4BetdSnIDnDWZykftV4bvPbkYI9:NGDjrL7f35FTvtdJOZptV4bbkYS
                                          MD5:A52E5220EFB60813B31A82D101A97DCB
                                          SHA1:56E16E4DF0944CB07E73A01301886644F062D79B
                                          SHA-256:E7C8E7EDD9112137895820E789BAAAECA41626B01FB99FEDE82968DDB66D02CF
                                          SHA-512:D6565BA18B5B9795D6BDE3EF94D8F7CD77BF8BB69BA3FE7ADEFB80FC7C5D888CDFDC79238D86A0839846AEA4A1E51FC0CAED3D62F7054885E8B15FAD9F6C654E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.................x=....x...... .....0.....n..x.....x8....x9....x>...Rich..........................PE..L......R...........!.....2..........1........P...............................0.......1....@.............................................l...........................0S..............................`...@............P...............................text...M0.......2.................. ..`.rdata..yd...P...f...6..............@..@.data..../..........................@....rsrc...l...........................@..@.reloc..B ......."..................@..B................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.be\vcredist_x64.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):465992
                                          Entropy (8bit):6.923996733031688
                                          Encrypted:false
                                          SSDEEP:6144:9qIuRebMq5S+Ud8AK+ehB9XgdmAeUBZ2x52OoElZTxPhhQgO1Oi/6xLdowQguVC+:9qIOkU8AMXE9B7PElZlP41v6ro4n+
                                          MD5:3284088A2D414D65E865004FDB641936
                                          SHA1:7F3E9180D9025FC14C8A7868B763B0C3E7A900B4
                                          SHA-256:102F69B5A98352A6A1A6B26BC2C86EE7611C1F45F5A9CA04F5A8841961F191C6
                                          SHA-512:6786FB431ADDF05DF256D0E1383501F96356AA78F66482DB9772C58334AEAD59838ABB7DB0EA793D4A17627A357598266681C28328485489A21BC2985E751B62
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........-.}}~.}}~.}}~...~.}}~...~.}}~...~.}}~...~.}}~.}|~.|}~...~.}}~...~.}}~.}.~.}}~...~.}}~Rich.}}~........PE..L...B.JT.....................6....................@..........................P......V>....@..................................5..@........9..............x>.......3.. ...............................X...@............................................text...$........................... ..`.rdata..L...........................@..@.data....0...`.......:..............@....wixburn8............J..............@..@.tls.................L..............@....rsrc....9.......:...N..............@..@.reloc..rD.......F..................@..B................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:Microsoft Cabinet archive data, 5572387 bytes, 14 files, at 0x44 +A "F_CENTRAL_mfc120_x64" +A "F_CENTRAL_mfc120chs_x64", flags 0x4, number 1, extra bytes 20 in head, 369 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):5588515
                                          Entropy (8bit):7.997584686021991
                                          Encrypted:true
                                          SSDEEP:98304:y1lJQ3eMBA/uI4ms8UDSSBEnOEEEHlDyrAaKxk6MGII5wFGRB2CfhXkyq:yyuuI4mJKCLEEFeoxkcMsfhC
                                          MD5:F5879F5F3FFA839A280AB853338DE872
                                          SHA1:3B4366ABB2DA245416531925EBD8C76ADC3E90EF
                                          SHA-256:1F2F8F5D60DADBC6E4D3D36C88CC54F22AF0A615B609609E748782DC26231174
                                          SHA-512:96A88601CEDF859C9FCD388D9E8D2FD6139F6E69AB6B05B0E044D1A598CD1A066D27A0F7A7C71BD77576DCDD083DEC7A55F2CD9DE52FF95AAC23171C9F9670DE
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF....#.U.....D...........................#.U..?..........l...q.....U........JT~ .F_CENTRAL_mfc120_x64.......U....JT~ .F_CENTRAL_mfc120chs_x64.....HGV....JT~ .F_CENTRAL_mfc120cht_x64..$....V....JT~ .F_CENTRAL_mfc120deu_x64...... X....JT~ .F_CENTRAL_mfc120enu_x64.. ..@.Y....JT~ .F_CENTRAL_mfc120esn_x64..$...?Z....JT~ .F_CENTRAL_mfc120fra_x64......d[....JT~ .F_CENTRAL_mfc120ita_x64.....8.\....JT~ .F_CENTRAL_mfc120jpn_x64......S]....JT~ .F_CENTRAL_mfc120kor_x64......$^....JT~ .F_CENTRAL_mfc120rus_x64...U.09_....JT~ .F_CENTRAL_mfc120u_x64..f...3.....JT~ .F_CENTRAL_mfcm120_x64..f..p......JT~ .F_CENTRAL_mfcm120u_x64.T2.;;;..CK.}.xT....$K.....*(..]...l...I..Y ...$.P..(.......2...XiK...j...#!.$.<....7.....Z.....}$..........;s..s.sf......TI.....J....y....i...._.!.....v..o..4.......#.>.y.y....f9...s<0.Q0~......{...Z.........0L.-;}..).^K..R:l.vH.;-..GT.F...v..Rj.....y.K.V._w..k.......f.t...5Zz.....9...h...t..........H.8..t..'..2..>=.$.e.....HR'H.H..?.."z..S..e&.%=i........

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\cab5046A8AB272BF37297BB7928664C9503

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:Microsoft Cabinet archive data, 1018300 bytes, 5 files, at 0x44 +A "F_CENTRAL_msvcp120_x64" +A "F_CENTRAL_msvcr120_x64", flags 0x4, number 1, extra bytes 20 in head, 80 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):1034428
                                          Entropy (8bit):7.9960148065256105
                                          Encrypted:true
                                          SSDEEP:24576:OaZAjJ7/iOnOtfHFVdbtaezjCsajNZV3Yk6dStkeQL4QfeQXsI8:nA16OnOtGezjC9ZBXLKeis5h
                                          MD5:361903C5FF86511786D7B450301DD640
                                          SHA1:C9FC04A718A388294658590F1240D8C7E9EE4F82
                                          SHA-256:E95D29CBB06BB323D9D43FC2CE61D4565B0866622A83D93DF76430A0C252B433
                                          SHA-512:78CEAAAA7F3E1A40AC2528E2F169416D6EBFABA54301754035F2A62F845421C8CDDAED84770182E51794C9FB32720AEC998D453DE2BEF621DE7A7E2B3B35AF20
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF............D................................?..............P..............JT~ .F_CENTRAL_msvcp120_x64............JT~ .F_CENTRAL_msvcr120_x64..Z..P......JT~ .F_CENTRAL_vcamp120_x64..p.... ....JT~ .F_CENTRAL_vccorlib120_x64.......%....JT~ .F_CENTRAL_vcomp120_x64..Id..4..CK.}.\....,.. ...=..(.Kb%..E gcI|..&f......h!.....v+....u....&...R....C.-.zI.....=3....j.....~>0.....}...>...o..b9.3..p.j..sq'.g5q\.~k{po..|.j......O..,)....w;.L.9.........3.9#.8....W$%%..}dW............i...3?.k..Cf.....f..=L.r3...4.z..g..:T}..z.#]GO.R..G.. ..n.0.K..........=&..Y8..3={.G...v....}....%.cW.W.@L.xX...2i..K..m..n..K.W20..B.H..Q@.....p.....C..no. Qh...BF....B-....Wx..{...P.C.i7..8..+Jo...q...K}r'.:....:..qu.....7._....(a.D#...p-..._..)...xC..#.M.q.."..W\.....7.........t......m../..Mv...x.;..K.......9.\.....t.\....!....m.....-..}k.....Nl.....W!>.S.o.7../X..\..}9....6o....il.Wx......../z.......c...#.....I.a...w....V.....]....H&\Fi.+Z.t..!..Q.:..u.M.t.J....z..~E!......c..,

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcRuntimeAdditional_x64

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664., Template: x64;1033, Revision Number: {A1135D47-2E01-4DE6-AB19-25679EC5D3CF}, Create Time/Date: Thu May 25 00:06:24 2017, Last Saved Time/Date: Thu May 25 00:06:24 2017, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.2804.0), Security: 2
                                          Category:dropped
                                          Size (bytes):143360
                                          Entropy (8bit):5.852155639838542
                                          Encrypted:false
                                          SSDEEP:3072:rJyjFGJvLIcXcSqviQICInggvUwMNme8:0SIcXgvi3un8
                                          MD5:4F782799F84CD006F7F1C750AFB04D8C
                                          SHA1:0CD219D326FD40665D2F1B22569E2517792EDFD9
                                          SHA-256:8909E5C1D917064983595A4E4717F758C2A8DF8F59D7B31A5B79B2F95BD8F7CC
                                          SHA-512:CFDDAD551AA5A35B032B7006B167FD322AFF46EC8A2934632C087882B24404EE48083EE38B9110ADD9846880B1AE0BED136BB21AE751E1D3CDE9DC27EAED5915
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcRuntimeMinimum_x64

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664., Template: x64;1033, Revision Number: {F8853551-4D30-4D6A-B36A-93EFAD4EEE03}, Create Time/Date: Thu May 25 00:06:22 2017, Last Saved Time/Date: Thu May 25 00:06:22 2017, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.2804.0), Security: 2
                                          Category:dropped
                                          Size (bytes):143360
                                          Entropy (8bit):5.7941100920635975
                                          Encrypted:false
                                          SSDEEP:1536:v/JyjziSGJvuiGPceicSqaQdFofZc9PMWkK1ICInuoAg6euHT2GDUQel5Tmt1PFA:XJyjFGJvLIcXcSqviQICInggBGHNmCQ
                                          MD5:87B74C694F295830FFE516BA20DE0B93
                                          SHA1:E6996D47BB76AD25954B793F73211524490F55A9
                                          SHA-256:E88D0915814E622CD1DECA849EFA23A0D58D5D756BE44EBBB4D460D3DAC9E816
                                          SHA-512:D0FD7F8C8964A99CE7A9D187640ACDBFF4CA3D16F02E44696706D6107B58890E763A18857BEC2B94F92CA559510FEA0AE5515CE3DE20AA4371AEBB38006C05EB
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1028\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):18415
                                          Entropy (8bit):4.043868285184243
                                          Encrypted:false
                                          SSDEEP:192:Haz4aHQbC6dBCLCNavmu6OqSPEmmVUJ9etKL5W2cBxGC4iSM0fvJ9seyryH1mqGI:2yk/RF8e7GWU2
                                          MD5:2B063D92663595DFE4781AE687A03D86
                                          SHA1:0FB582E756DBC751EA380593AC4DA27DDB4EBB06
                                          SHA-256:44C76290F7A2E45940E8338912FEB49BCF4E071CFA85D2D34762857743ACBC8D
                                          SHA-512:94C8FDA6173C7F5740F206190EDCD1F1F1C309596B710D400E23CD363A619D707A5D4576D4FE63AB7CB68947F009EFD29A1FBE04743A294698BF2AE17E92C214
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 \f1\'88\'cc\'d0\'d0\'eb\'41\'b6\'ce\f0 \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fc\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a1\'a3\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1028\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2980
                                          Entropy (8bit):6.163758160900388
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlOtMes9T/JhDXsA9EHSniarRFeOrw8N3mZNNTN2N08CEjMUWFPmDlTKJKy2:uDiTlFrDDsA9tfHP8+8nhM0WamzqDFqD
                                          MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
                                          SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
                                          SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
                                          SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1029\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13234
                                          Entropy (8bit):5.125368352290407
                                          Encrypted:false
                                          SSDEEP:192:T7wfl7OGpX5a5HEgQ2psch5jotXxEvH++3kamdyjCrDZugDHgbGNl86NhrYGY9D2:Yfl7O5ocINaHmjI44fUixAvOwwrJ2
                                          MD5:E7DC9CA9474A13FA4529D91BCD2AB8CC
                                          SHA1:511F5DE8A99C09EC3766C5E2494A79EACCA261C8
                                          SHA-256:503C433DCDE2F3A9E7D388A5FF2B0612E7D8F90F5188D5B2B60228DB33044FDE
                                          SHA-512:77108E53CD58E42F847D8EF23A07723C4849DC41DBE1C3EF939B9170E75F525BEC9D210D6C1FBFEB330ECE2E77B8A8E2808730D9E6F72F5B3FE626D58B6068C6
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z jej\f0\'edch afilac\'ed, v\~z\'e1vislosti na tom, kde bydl\'edte) a v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1029\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3333
                                          Entropy (8bit):5.370651462060085
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlOtesM6H2hDdxHOjZxsaIIy3Iy5sDMN3mkNFN7NwcfiPc3hKPnWZLF0hKqZ:uDiTlVxxHOy/9xXfpZJYnL8xK2S
                                          MD5:16343005D29EC431891B02F048C7F581
                                          SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
                                          SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
                                          SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1031\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):12392
                                          Entropy (8bit):5.192979871787938
                                          Encrypted:false
                                          SSDEEP:192:N6AY7JCc/2WVJtntrUqMmvuUh+mxYpnY4+ZqDe6mUZaEzYNvQ8yOejISRC4WL32:PUw2lSSssWVzOHyOejIS/22
                                          MD5:2DDCA2866D76C850F68ACDFDB696D6DE
                                          SHA1:C5076F10B0F0654CDE2C990DEEB2772F3CC4844B
                                          SHA-256:28F63BAD9C2960395106011761993049546607F8A850D344D6A54042176BF03F
                                          SHA-512:E3A3693B92873E0B42007616FF6916304EDC5C4F2EEE3E9276F87E86DD94C2BF6E1CF4E895CDF9A1AA0CAC0B381B8840EEE1F491123E901DEE75638B8BC5CE1B
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil Tahoma;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBEDINGUNGEN\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Diese Lizenzbestimmungen stellen eine Vereinbarung zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem ihrer Affiliate-Partner) dar. Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b WENN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, VERF\'dcGEN SIE \'dcBER DIE NACHFOLGEND AUFGEF\'dcHRTEN RECHTE.\par....\pard{\pntext\f3\'B7\tab}{\*\pn\pnlvlblt\pnf3\pnindent360{\pntxtb\'B7}}\

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1031\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3379
                                          Entropy (8bit):5.094097800535488
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlOZuesXJhDEVTORNxSMoZN3mteNSiNGNsZuiAXEqicMwhPXbhu9KwKlK8Kq:uDiTl3N7xSbu0N8+AhSNnm
                                          MD5:561F3F32DB2453647D1992D4D932E872
                                          SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
                                          SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
                                          SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1036\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):12349
                                          Entropy (8bit):5.108676965693909
                                          Encrypted:false
                                          SSDEEP:384:7Jja9NaNbUmVao9L5EOMjWghxjUSeuDSej2:dj84gmVz9EDjW8GSZC
                                          MD5:A6E352E5804313CCDE3E4D5DDDDE122D
                                          SHA1:834E3AAA07DC675589A9E5FCD23CE5586C2739E8
                                          SHA-256:5C13A65870D770D1642A4259EECB436257CA39016A0500F747BE9C79BE0C7009
                                          SHA-512:6578AC6467F61930BC1B20E404441725C63790C65AEC1ACE297429EAD15F50E68D5FE9CC1451AC86AE23DC1A7FE967650166293010D687785FB81FB4492B87C4
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil\fcharset177 Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\ltrpar\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Les pr\'e9sentes conditions de licence constituent un contrat entre Microsoft Corporation (ou en fonction de votre lieu de r\'e9sidence, l\f1\rquote\f0 un de ses affili\'e9s) et vous. Ils s\f1\rquote\f0 appliquent au logiciel vis\'e9 ci-dessus. Les termes s\f1\rquote\f0 appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\f1\rquote\f0 autres termes n\f1\rquote\f0 accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT D

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1036\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3366
                                          Entropy (8bit):5.0912204406356905
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlO1BesgKLhD1K8cocDSN3m4NlN2ZfNmXL8ePZFcZkLPqUf9fQKRLKeKqZfj:uDiTlABzH1/qt4qgcXY
                                          MD5:7B46AE8698459830A0F9116BC27DE7DF
                                          SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
                                          SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
                                          SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1040\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):11440
                                          Entropy (8bit):5.037988271709582
                                          Encrypted:false
                                          SSDEEP:192:HJdZDQX6UXR2+5AkgS/PhdzerS8QGowHV66zdgkycjGCDLQ+n3YJ258FSiej4LaW:7azAUd+RrR5jjPLQY3YJTSjk42
                                          MD5:BC58AD6ABB16B982AEBADC121B37E706
                                          SHA1:25E3E4127A643DB5DB2A0B62B02DE871359FAE42
                                          SHA-256:70ECF23C03B66A2B18E173332586AFA8F00F91E02A80628F4F9CB2521E27F6AC
                                          SHA-512:8340452CB5E196CB1D5DA6DBB3FA8872E519D7903A05331055370B4850D912674F0B6AF3D6E4F94248FE8135EB378EB36969821D711FE1624A04AF13BBE55D70
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONDIZIONI DI LICENZA SOFTWARE MICROSOFT\par..RUNTIME MICROSOFT VISUAL C++ 2015 - 2022 \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario. Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, tranne se accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1040\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3319
                                          Entropy (8bit):5.019774955491369
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlO1eesy+hD9BOtBFv5Vo8BbQhMNDJN3msNlNohNNz+wcPclM+PAoYKp+K/u:uDiTlfQvo8WutJ/s9FHNOJp
                                          MD5:D90BC60FA15299925986A52861B8E5D5
                                          SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
                                          SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
                                          SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1041\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):30228
                                          Entropy (8bit):3.785116198512527
                                          Encrypted:false
                                          SSDEEP:192:I6ZzmL3hCm2AivEiTsk3H1DjM3Lm4nVsO4Uy9C0QueLJkEBN7VvfNSqkO+0TU7B9:VArCQx/2LLW7//72
                                          MD5:47C315C54B6F2078875119FA7A718499
                                          SHA1:F650DDB5DF2AF2EE7555C410D034B37B9DFD055B
                                          SHA-256:C3061A334BFD5F02B7085F8F454D5D3D97D477AF14BAB497BF31A7887BC90C5B
                                          SHA-512:A0E4B0FCCCFDD93BAF133C2080403E8719E4A6984237F751BD883C0D3C52D818EFD00F8BA7726A2F645F66286305599403470F14D39EEDC526DDE59228A5F261
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS PGothic;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\f1 \f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\f1 \f0\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\f1\par..MICROSOFT VISUAL C++ 2015 - 2022 \f0\'83\'89\'83\'93\'83\'5e\'83\'43\'83\'80\f1\par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation\f2\'a3\'a8\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'bd\'8a\'d6\'98\'41\'89\'ef\'8e\'d0\f2\'a3\'a9\f0\'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\f2\'a1\'a3\'b

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1041\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3959
                                          Entropy (8bit):5.955167044943003
                                          Encrypted:false
                                          SSDEEP:96:uDiTlDuB1n+RNmvFo6bnpojeTPk0R/vueX5OA17IHdGWz:5uB1+gD1DU4EdGE
                                          MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
                                          SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
                                          SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
                                          SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1042\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):28393
                                          Entropy (8bit):3.874126830110936
                                          Encrypted:false
                                          SSDEEP:384:CuQibAmua4XatV1pMxlD1xzjxsZmfmzw4ezN7RQjyeqCBS96My7yNRylDSFrQv90:n4atZClDFsZuheqooMerJlQq/
                                          MD5:641D926354F001034CF3F2F3B0FF33DC
                                          SHA1:5505107FFF6CF279769A82510276F61EA18637AE
                                          SHA-256:3D4E9C165CBEAB829D608106F0E96450F839FFA8ADBD755F0B51867E89DA2AE0
                                          SHA-512:B0339664434B096ABC26D600F7657919EF3689B4E0FDFD4EDD8E479859A51EF51BE8F05FA43E25567FFD6C1C2BCC6EF0D7A857B6D666D264C7783BAD3A383D0E
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 \f1\'b7\'b1\'c5\'b8\'c0\'d3\f0 \par..\b0\f1\'ba\'bb\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1042\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3249
                                          Entropy (8bit):5.985100495461761
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlO4TesKOwhDNJCkt1NhEN3m/NFNkbKNdExpVgUnqx6IPaRc0KoUK9TKz0KR:uDiTlUJJCsgqf6YVoz4uU5vI54U5TY
                                          MD5:B3399648C2F30930487F20B50378CEC1
                                          SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
                                          SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
                                          SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1045\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13352
                                          Entropy (8bit):5.359561719031494
                                          Encrypted:false
                                          SSDEEP:384:Pd0SEvKJ7P9yEw1VAOV/sHm/Iznc2wf6w2:8Jf/sHmAzcaX
                                          MD5:F140FD8CA2C63A861D04310257C1B1DB
                                          SHA1:7BF7EF763A1F80ECACA692908F8F0790A88C3CA1
                                          SHA-256:6F94A99072061012C5626A6DD069809EC841D6E3102B48394D522A0C2E3AA2B5
                                          SHA-512:A0BD65AF13CC11E41E5021DF0399E5D21B340EF6C9BBE9B1B56A1766F609CEB031F550A7A0439264B10D67A76A6403E41ABA49B3C9E347CAEDFE9AF0C5BE1EE6
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA MICROSOFT\par..\f0 MICROSOFT VISUAL C++ \f1\'8cRODOWISKO URUCHOMIENIOWE 2015-2022 \par..\b0\f0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a Licencjobiorc\f1\'b9. Postanowienia te dotycz\'b9 oprogramowania okre\'9clonego powy\'bfej. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym tow

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1045\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3212
                                          Entropy (8bit):5.268378763359481
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlOPesar4hDo7zGriQjDCN3mDNN0NrsNGl3vxkIP2hUdKLK0KbK4n6W0sfNM:uDiTlusPGriQw8n2rOij4JsU
                                          MD5:15172EAF5C2C2E2B008DE04A250A62A1
                                          SHA1:ED60F870C473EE87DF39D1584880D964796E6888
                                          SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
                                          SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1046\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):10956
                                          Entropy (8bit):5.086757849952268
                                          Encrypted:false
                                          SSDEEP:192:H2JR4ufWXXFA+YGRjHquAHHoKWCsGlHIpSDDvJRkYhaDznP3l7wLXiBpt32:WJ6ufB+Yc3AnoZCb5AGPQPCLQ72
                                          MD5:9A8D2ACF07F3C01E5CBC461AB932D85B
                                          SHA1:8781A298DCC14C18C6F6DB58B64F50B2FC6E338E
                                          SHA-256:27891EEC899BE859E3B4D3B29247FC6B535D7E836DEF0329111C48741EC6E701
                                          SHA-512:A60262A0C18E3BEF7C6D52F242153EBE891F676ED639F2DACFEBBAC86E70EEBF58AA95A7FE1A16E15A553C1BD3ECACCD8677EB9D2761CB79CB9A342C9B4252E2
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..TEMPO DE EXECU\'c7\'c3O DO MICROSOFT VISUAL C++ 2015 - 2022 \par..\b0 Os presentes termos de licen\'e7a constituem um contrato firmado entre a Microsoft Corporation (ou, dependendo do local no qual voc\'ea esteja domiciliado, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pn

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1046\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3095
                                          Entropy (8bit):5.150868216959352
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlO5es/4ThDzmU6lDj4N3mBl0N+NWNP4hHCc9skPDXeKKeK9KfKt4eJ2RQdg:uDiTlJhJGl2UsZMLe6
                                          MD5:BE27B98E086D2B8068B16DBF43E18D50
                                          SHA1:6FAF34A36C8D9DE55650D0466563852552927603
                                          SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
                                          SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1049\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):31981
                                          Entropy (8bit):3.6408688850128446
                                          Encrypted:false
                                          SSDEEP:384:GdkM1I1EqW6aAHmxiTJrN6feZ78C7e5zoPqp007FsrmPx/1JRbnS0Yk4SYdIDtx2:Su4Mtg1S0YkjYWZM
                                          MD5:62229BE4447C349DF353C5D56372D64B
                                          SHA1:989799ED24913A0E6AE2546EE2A9A8D556E1CB3B
                                          SHA-256:1BB3FB55B8A13FA3BAFFFE72F5B1ED8B57A63BD4D8654BB6DC5B9011CE803B44
                                          SHA-512:FA366328C3FD4F683FDB1C5A64F5D554DE79620331086E8B4CCC2BFC2595B1FDED02CEC8AA982FCD8B13CC175D222AF2D7E2CD1A33B52F36AFD692B533FDBF13
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset0 Tahoma;}{\f3\fnil\fcharset204 Garamond;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\'d1\'d0\'c5\'c4\'c0 \'c2\'db\'cf\'ce\'cb\'cd\'c5\'cd\'c8\'df MICROSOFT VISUAL C++ 2015\f1\endash\f2 2022 \par..\b0\f0\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1049\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4150
                                          Entropy (8bit):5.444436038992627
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlDhQt9esbrohDTWJt49kAr7DHN3m5GNDCNvNLIkflhrWncPingGdZwK1Kqp:uDiTlDYVgmt4xJ88k193ipzjvL
                                          MD5:17C652452E5EE930A7F1E5E312C17324
                                          SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
                                          SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
                                          SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1055\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13807
                                          Entropy (8bit):5.2077828423114045
                                          Encrypted:false
                                          SSDEEP:192:mfGSPTe1VWjPqkdUxtptACpt4jSzUQBtB7+fzCCnebZ/42W2TEAQjE4oOwuxqrEs:7SK+W6UbACp2SzD9+btebZwZWEdpow2
                                          MD5:9625F3A496DBF5E3E0D2F33D417EDBBF
                                          SHA1:119376730428812A31B70D58C873866D5307A775
                                          SHA-256:F80926604E503697247353F56856B31DE0B3FC1319F1C94068363952549CC9B1
                                          SHA-512:DB91A14FC27E3A62324E024DD44E3B5548AF7E1C021201C3D851BD2F32537885AACFC64ADAE619BAC31B60229D1D5FC653F5301CD7187C69BD0ACECCE817D6A3
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset238 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2015 - 2022 \'c7ALI\f1\'aaMA S\f0\'dcRESI \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan s\f0\'f6zle\f1\'bameyi olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\pa

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\1055\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3221
                                          Entropy (8bit):5.280530692056262
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlOaesHEqhDTHV4zVy6oBzdp0DYK2GP2ZmN3majyNXNoNKQXVvChcPc+WKb0:uDiTl3PHcIflKNTPgdi12xgg
                                          MD5:DEFBEA001DC4EB66553630AC7CE47CCA
                                          SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
                                          SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
                                          SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\2052\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):18214
                                          Entropy (8bit):3.9837154113926356
                                          Encrypted:false
                                          SSDEEP:192:Hom4PyAjs/HBJ5qyK3PG4lk5xxKyAW1yW7/Y3OKchGMvGMLdo4+uHq9f4yPxrdCX:IDM1OR5rGU2
                                          MD5:D083C7E300928A0C5AEA5ECBD1653836
                                          SHA1:08F4F1F9F7DFA593BE3977515635967CE7A99E7A
                                          SHA-256:A808B4933CE3B3E0893504DBEF43EBF90B8B567F94BD6481B6315ED9141E1B11
                                          SHA-512:8CB3FFAD879BABA36137B7A21B62D9D6C530693F5E16FBB975F3E7C20F1DB5A686F3A6EE406D69B018AA494E4CD185F71B369A378AE3289B8080105157E63FD0
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0\f1\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f0 Microsoft Corporation\f1\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f0 Microsoft \f1\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\2052\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2978
                                          Entropy (8bit):6.135205733555905
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlOtKesi+hDtkQf7lz+W0gopN3m5+3cNONeN1ra8vWqPtlTKxKUTKlKXRoR+:uDiTlV5kQR9GLeE0ZxV6gIV
                                          MD5:3D1E15DEEACE801322E222969A574F17
                                          SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
                                          SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
                                          SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\3082\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):10825
                                          Entropy (8bit):5.1113252296046126
                                          Encrypted:false
                                          SSDEEP:192:HalhwTwQ4yzePBrarlvTteQH3bf9WaoXUBXZRaS9YARl0hcXNVD32:6lc4krlU2ymLN12
                                          MD5:873A413D23F830D3E87DAB3B94153E08
                                          SHA1:24CFC24F22CEF89818718A86F55F27606EB42668
                                          SHA-256:ABC11BB2B04DFF6AFE2D4D4F40D95A7D62E5AF352928AF90DAA3DADE58DD59BD
                                          SHA-512:DC1ECCB5CC4D3047401E2BC31F5EB3E21C7881C02744A2E63C10D3C911D1158DCFAC023988E873C33DC381C989304FE1D3CB27ED99D7801285C4C378553CD821
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LICENCIA DEL SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Los t\'e9rminos de esta licencia son un contrato entre Microsoft Corporation (o, en funci\'f3n de donde viva, una de las sociedades del grupo) y usted. Se aplican al software mencionado anteriormente. Los t\'e9rminos tambi\'e9n se aplican a los servicios o actualizaciones de software de Microsoft, excepto en la medida en que sus t\'e9rminos sean diferentes.\par..\b SI USTED CUMPLE LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE A CONTINUACI\'d3N SE DESCRIBEN.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb1

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\3082\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3265
                                          Entropy (8bit):5.0491645049584655
                                          Encrypted:false
                                          SSDEEP:48:c5DiTlO/esS6VGhDv4tiUiyRUqzC4U+aD6N3m7xNh1NWNGbPz+9o3PWeKK9K9KfT:uDiTlxouUTiySqyIwz9sgxqvjIk8
                                          MD5:47F9F8D342C9C22D0C9636BC7362FA8F
                                          SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
                                          SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
                                          SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\BootstrapperApplicationData.xml

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (633), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):15190
                                          Entropy (8bit):3.738616200218003
                                          Encrypted:false
                                          SSDEEP:192:X0sv+DnH5zHqQHG0Hd8Hz7HE06HA0rH3php7GtHxLUrezLG0LeZetHJT580JI0Bm:X0sKdLbmnoNEtR0iJyZetXI2VEp+EL
                                          MD5:2EE103493F085F0F7C635A430F36E0A0
                                          SHA1:6148F7B7DF3EDD7FF9E5D2C4B92B93E91223919A
                                          SHA-256:A884D7460C9E2814382B11B67A63B920E01E711BC7ED61C2D4F2A6AB8FCCA389
                                          SHA-512:4F870368DE31FBF2026A9390445D093F6A098DF510C6E409564B4AA32E836A41DE4304787824A3B3EFA9A56B05CAC2BF3BB49E3CA8B8BE3D1B1EBFF1B647A29A
                                          Malicious:false
                                          Reputation:low
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...1.". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .7. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.2.2. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...4.2...3.4.4.3.3.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".y.e.s.". .I.d.=.".{.8.0.4.e.7.d.6.6.-.c.c.c.2.-.4.c.1.2.-.8.4.b.a.-.4.7.6.d.a.3.1.d.1.0.3.d.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.C.1.4.6.E.

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):9235
                                          Entropy (8bit):5.167332119309966
                                          Encrypted:false
                                          SSDEEP:192:H8kZ1UVDWkiWZTIsp/4hghFF1Qf4lCfnEtHixEGx736wHqItfSpOtJ32:cM1RWZMi/zzlOnjt5HLoa2
                                          MD5:04B33F0A9081C10E85D0E495A1294F83
                                          SHA1:1EFE2FB2D014A731B752672745F9FFECDD716412
                                          SHA-256:8099DC3CF9502C335DA829E5C755948A12E3E6DE490EB492A99DEB673D883D8B
                                          SHA-512:D1DBED00DF921169DD61501E2A3E95E6D7807348B188BE9DD8FC63423501E4D848ECE19AC466C3CACFCCC6084E0EB2F457DC957990F6F511DF10FD426E432685
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\f

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\logo.png

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                                          Category:dropped
                                          Size (bytes):1861
                                          Entropy (8bit):6.868587546770907
                                          Encrypted:false
                                          SSDEEP:24:q36cnTKM/3kTIQiBmYKHeQWalGt1Sj9kYIt1uZ+bYOQe0IChR95aW:qqiTKMPuUBm7eQJGtYJM1uZCVszaW
                                          MD5:D6BD210F227442B3362493D046CEA233
                                          SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                                          SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                                          SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                                          Malicious:false
                                          Reputation:low
                                          Preview:.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2952
                                          Entropy (8bit):5.052095286906672
                                          Encrypted:false
                                          SSDEEP:48:c5DiTl/+desK19hDUNKwsqq8+JIDxN3mt7NlN1NVvAdMcgLPDHVXK8KTKjKnSnYF:uDiTl/BbTxmup/vrxATd
                                          MD5:FBFCBC4DACC566A3C426F43CE10907B6
                                          SHA1:63C45F9A771161740E100FAF710F30EED017D723
                                          SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                                          SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\thm.xml

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8332
                                          Entropy (8bit):5.184632608060528
                                          Encrypted:false
                                          SSDEEP:96:8L2HdQG+3VzHfz96zYFGaPSWXdhRAmImlqFQKFBiUxn7Ke5A82rkO/pWk3nswP:ZHAzZ/3
                                          MD5:F62729C6D2540015E072514226C121C7
                                          SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
                                          SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
                                          SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

                                          C:\Users\user\AppData\Local\Temp\{CFA7F461-3ACC-446D-94A1-F387D58BCCC1}\.ba\wixstdba.dll

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):220512
                                          Entropy (8bit):6.754483649907534
                                          Encrypted:false
                                          SSDEEP:6144:K6EZdi6e93SuDeTKZxQfsRy26BqbUHYJe:K62i6eNSYeuZ2sRDK
                                          MD5:F68F43F809840328F4E993A54B0D5E62
                                          SHA1:01DA48CE6C81DF4835B4C2ECA7E1D447BE893D39
                                          SHA-256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E
                                          SHA-512:A7A799ECF1784FB5E8CD7191BF78B510FF5B07DB07363388D7B32ED21F4FDDC09E34D1160113395F728C0F4E57D13768A0350DBDB207D9224337D2153DC791E1
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N............e......e..............................e......e......e..............*.......*.......*.d.............*.......Rich............PE..L......e...........!.........................0...............................@............@.............................................................`W... ..x.......T...........................8...@............0..X............................text............................... ..`.rdata.......0....... ..............@..@.data...............................@....rsrc...............................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Users\user\Desktop\cmdline.out

                                          Download File
                                          Process:C:\Windows\SysWOW64\cmd.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):548909
                                          Entropy (8bit):2.2670594202931933
                                          Encrypted:false
                                          SSDEEP:3072:CIFUD3n5K8QUh9t1ECakIAjgikS254x5/GTNaJL:C+MOEL
                                          MD5:C2376DC40C15E8AFCFD4ED45B9956AA4
                                          SHA1:F053E9497D59C6AD7B44393DF2EC4C207FF01FCD
                                          SHA-256:B6863B9D1B6578A9423DEFAD8FFBDBE9969211BEBF454CFA0A1341634C6F98FD
                                          SHA-512:B08DD3235AA1E4AC40C7E4758F730B1E9FDAA7641DE855AAA99FD0E077AE11AD84EF090E3D29B06CD8A0910B4560979B91FF4EED1B500B5F798906EF05AE7F39
                                          Malicious:false
                                          Reputation:low
                                          Preview:--2025-01-13 01:58:35-- https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe..Resolving www.danielgm.net (www.danielgm.net)... 162.241.226.205..Connecting to www.danielgm.net (www.danielgm.net)|162.241.226.205|:443... connected...HTTP request sent, awaiting response... 200 OK..Length: 355083480 (339M) [application/x-msdownload]..Saving to: 'C:/Users/user/Desktop/download/CloudCompare_v2.14.alpha_setup_x64.exe'.... 0K .......... .......... .......... .......... .......... 0% 278K 20m49s.. 50K .......... .......... .......... .......... .......... 0% 1.03M 13m9s.. 100K .......... .......... .......... .......... .......... 0% 1017K 10m40s.. 150K .......... .......... .......... .......... .......... 0% 1.13M 9m15s.. 200K .......... .......... .......... .......... .......... 0% 1.08M 8m26s.. 250K .......... .......... .......... .......... .......... 0% 849K 8m10s.. 300K .......... .......... .......... .......... .......... 0% 5.71M 7m8s

                                          C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe

                                          Download File
                                          Process:C:\Windows\SysWOW64\wget.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):355083480
                                          Entropy (8bit):7.999789709819808
                                          Encrypted:true
                                          SSDEEP:6291456:1ZSSJaTGQcj2yF/fGyp4k7HKwYdefyVq7mN+yvMEdWMsOBa4y+mEs9LKUc:OSNQcj2yFJr+ZqKN+ZgU4y+3wLy
                                          MD5:4FA9171C45161772572CB136422EA7FD
                                          SHA1:07E5617C3EFE1AD8AC181043C8F2D4C1B665FF38
                                          SHA-256:2E51AC90FDA81441AB9671598E2ACD169E001DC2A969E3331FDD38C02B0AFEC8
                                          SHA-512:A357E2F286B6512D9CAE295B21292595DC59067D89D159A8473CE5FA80247D84E50A407BCD45166B6D42853DBDBC635244B7453292C5D7CED25F3BEF2F9BA8F0
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...n.._.................P...........^.......p....@..................................a*...@......@...................@....... ..6....p...H..........X.)..&...................................`......................."..D....0.......................text....6.......8.................. ..`.itext.......P.......<.............. ..`.data....7...p...8...T..............@....bss.....m...............................idata..6.... ......................@....didata......0......................@....edata.......@......................@..@.tls.........P...........................rdata..]....`......................@..@.rsrc....H...p...H..................@..@....................................@..@........................................................

                                          C:\Windows\Installer\61b0f8.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664., Template: x64;1033, Revision Number: {F8853551-4D30-4D6A-B36A-93EFAD4EEE03}, Create Time/Date: Thu May 25 00:06:22 2017, Last Saved Time/Date: Thu May 25 00:06:22 2017, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.2804.0), Security: 2
                                          Category:dropped
                                          Size (bytes):143360
                                          Entropy (8bit):5.7941100920635975
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:87B74C694F295830FFE516BA20DE0B93
                                          SHA1:E6996D47BB76AD25954B793F73211524490F55A9
                                          SHA-256:E88D0915814E622CD1DECA849EFA23A0D58D5D756BE44EBBB4D460D3DAC9E816
                                          SHA-512:D0FD7F8C8964A99CE7A9D187640ACDBFF4CA3D16F02E44696706D6107B58890E763A18857BEC2B94F92CA559510FEA0AE5515CE3DE20AA4371AEBB38006C05EB
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\61b0fe.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664., Template: x64;1033, Revision Number: {F8853551-4D30-4D6A-B36A-93EFAD4EEE03}, Create Time/Date: Thu May 25 00:06:22 2017, Last Saved Time/Date: Thu May 25 00:06:22 2017, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.2804.0), Security: 2
                                          Category:dropped
                                          Size (bytes):143360
                                          Entropy (8bit):5.7941100920635975
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:87B74C694F295830FFE516BA20DE0B93
                                          SHA1:E6996D47BB76AD25954B793F73211524490F55A9
                                          SHA-256:E88D0915814E622CD1DECA849EFA23A0D58D5D756BE44EBBB4D460D3DAC9E816
                                          SHA-512:D0FD7F8C8964A99CE7A9D187640ACDBFF4CA3D16F02E44696706D6107B58890E763A18857BEC2B94F92CA559510FEA0AE5515CE3DE20AA4371AEBB38006C05EB
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\61b0ff.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664., Template: x64;1033, Revision Number: {A1135D47-2E01-4DE6-AB19-25679EC5D3CF}, Create Time/Date: Thu May 25 00:06:24 2017, Last Saved Time/Date: Thu May 25 00:06:24 2017, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.2804.0), Security: 2
                                          Category:dropped
                                          Size (bytes):143360
                                          Entropy (8bit):5.852155639838542
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:4F782799F84CD006F7F1C750AFB04D8C
                                          SHA1:0CD219D326FD40665D2F1B22569E2517792EDFD9
                                          SHA-256:8909E5C1D917064983595A4E4717F758C2A8DF8F59D7B31A5B79B2F95BD8F7CC
                                          SHA-512:CFDDAD551AA5A35B032B7006B167FD322AFF46EC8A2934632C087882B24404EE48083EE38B9110ADD9846880B1AE0BED136BB21AE751E1D3CDE9DC27EAED5915
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\61b106.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2013 x64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664., Template: x64;1033, Revision Number: {A1135D47-2E01-4DE6-AB19-25679EC5D3CF}, Create Time/Date: Thu May 25 00:06:24 2017, Last Saved Time/Date: Thu May 25 00:06:24 2017, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.7.2804.0), Security: 2
                                          Category:dropped
                                          Size (bytes):143360
                                          Entropy (8bit):5.852155639838542
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:4F782799F84CD006F7F1C750AFB04D8C
                                          SHA1:0CD219D326FD40665D2F1B22569E2517792EDFD9
                                          SHA-256:8909E5C1D917064983595A4E4717F758C2A8DF8F59D7B31A5B79B2F95BD8F7CC
                                          SHA-512:CFDDAD551AA5A35B032B7006B167FD322AFF46EC8A2934632C087882B24404EE48083EE38B9110ADD9846880B1AE0BED136BB21AE751E1D3CDE9DC27EAED5915
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\61b107.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433., Template: x64;1033, Revision Number: {A75B920C-55CD-4531-932F-CB4C539C41F8}, Create Time/Date: Tue Oct 29 06:50:14 2024, Last Saved Time/Date: Tue Oct 29 06:50:14 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.367262947705725
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:09042BA0AF85F4873A68326AB0E704AF
                                          SHA1:F08C8F9CB63F89A88F5915E6A889B170CE98F515
                                          SHA-256:47CCEB26DD7B78F0D3D09FDDC419290907FE818979884B2192C834034180E83B
                                          SHA-512:1C9552A8BF478F9EDDE8ED67A8F40584A757C66AAF297609B4F577283469287992C1F84EBE15DF4DF05B0135E4D67C958A912738F4814440F6FD77804A2CFA7D
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\61b117.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433., Template: x64;1033, Revision Number: {A75B920C-55CD-4531-932F-CB4C539C41F8}, Create Time/Date: Tue Oct 29 06:50:14 2024, Last Saved Time/Date: Tue Oct 29 06:50:14 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.367262947705725
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:09042BA0AF85F4873A68326AB0E704AF
                                          SHA1:F08C8F9CB63F89A88F5915E6A889B170CE98F515
                                          SHA-256:47CCEB26DD7B78F0D3D09FDDC419290907FE818979884B2192C834034180E83B
                                          SHA-512:1C9552A8BF478F9EDDE8ED67A8F40584A757C66AAF297609B4F577283469287992C1F84EBE15DF4DF05B0135E4D67C958A912738F4814440F6FD77804A2CFA7D
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\61b118.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433., Template: x64;1033, Revision Number: {E04E511C-7D1F-4263-AB6A-F816392FD4D7}, Create Time/Date: Tue Oct 29 06:55:02 2024, Last Saved Time/Date: Tue Oct 29 06:55:02 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.372377887079137
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:351D8E8C804F6C6AAB4C718977B1817D
                                          SHA1:1B680E5E2ED548E5636F9D656C49C87CF9A70DA8
                                          SHA-256:CF584E5132EF3766A088F824BD038494713A7168CDDDD44E3F8C4AD581E2206E
                                          SHA-512:D0613C6B1A72C73013C0519619C557811A1D20FCDDC8361D391A31FC4AA9C70173B907957BABB049067111427A81E48A82E5467A15DAE8BEBB55B048993C93A4
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\61b12b.msi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433., Template: x64;1033, Revision Number: {E04E511C-7D1F-4263-AB6A-F816392FD4D7}, Create Time/Date: Tue Oct 29 06:55:02 2024, Last Saved Time/Date: Tue Oct 29 06:55:02 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.372377887079137
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:351D8E8C804F6C6AAB4C718977B1817D
                                          SHA1:1B680E5E2ED548E5636F9D656C49C87CF9A70DA8
                                          SHA-256:CF584E5132EF3766A088F824BD038494713A7168CDDDD44E3F8C4AD581E2206E
                                          SHA-512:D0613C6B1A72C73013C0519619C557811A1D20FCDDC8361D391A31FC4AA9C70173B907957BABB049067111427A81E48A82E5467A15DAE8BEBB55B048993C93A4
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\MSI1BA.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6636
                                          Entropy (8bit):5.763956167830669
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:09E32A1E07F55C76A8AF88BB53E3478F
                                          SHA1:FDBA07479E7346A392E31E08807ED5F1193FBB77
                                          SHA-256:B660815BDC7C335397E5ABCF88F4685883593A40C01E0A783C03CF1298860848
                                          SHA-512:386BDFD5058268B15E5245F9C8EEAC0AFAFB73DDFEAD3847DA2AB23C8B49D99ACF1A18B006F1D42BC713A9A17D9E3BBBA4452E73D53327282B720F0FB839077C
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{D5D19E2F-7189-42FE-8103-92CD1FA457C2};.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532..vc_runtimeMinimum_x64.msi.@.....@..$..@.....@........&.{4E8C8C37-B448-4BB0-8A8B-F640B3239F71}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{36F68A90-239C-34DF-B58C-64B30153CE35}....&.{4E8C8C37-B448-4BB0-8A8B-F640B3239F71}c.&.{36F68A90-239C-34DF-B58C-64B30153CE35}............ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}&.{D5D19E2F-7189-42FE-8103-92CD1FA457C2}..&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}...@.....@......&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}&.{D5D19E2F-7189-42FE-8103-92CD1FA457C2}..&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}...@.....@......&.{B33

                                          C:\Windows\Installer\MSI313.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):11166
                                          Entropy (8bit):5.663617314861601
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FDB50A14367C1C9AA6CA4111BF0D927C
                                          SHA1:661F2947B012D9220E789FFAC370E5C1470F812F
                                          SHA-256:D68BB64896A506D42D6D39C980093C050C9DB8B3CD68294E43A9E75B4A7BE1C7
                                          SHA-512:6695F44DF044F4586B2678787A39B325B9F26437B5C9FB30280EA51CB565F0FBB7E527F0BF3F1AE459AC4D3ED0504BA23DB0529088967C4669BE47A2A995A033
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{382F1166-A409-4C5B-9B1E-85ED538B8291};.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433..vc_runtimeMinimum_x64.msi.@.....@..*..@.....@........&.{A75B920C-55CD-4531-932F-CB4C539C41F8}.....@.....@.....@.....@.......@.....@.....@.......@....;.Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X64\Version.@.......@.....@.....@......&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}@.22:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X64\Version.@.......@.....@.....@......&.{B33258FD-750C-3B42-8BE4-535B48E97DB4}$.C:\Windows\system32\vcruntime140.dll.@.......@.....@.....@......&.{4AF15CBB-F5C1-4468-A694-C5A03A2238D5},.C:\Windows\system32\vcrunti

                                          C:\Windows\Installer\MSIB2CD.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6757
                                          Entropy (8bit):5.765324673526062
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:0641A969CCDBAE4031729C5A45BB2F9B
                                          SHA1:81B300E55BE2419B2FEA8B583776184DAD56C6D4
                                          SHA-256:9602830A2E3EF41B3B54DA529B440BFFAA931BB2359E24BEF8898FDDCE6A695F
                                          SHA-512:585E5D13F945126AA9C37EDDFE4BF3983B2C7040D0C1943B13F95B2D20C3D5E612FC34988111A0B5A6848FE8A870033F72E4424A660574521CF8F8F0DDCF6BB5
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@x.-Z.@.....@.....@.....@.....@.....@......&.{53CF6934-A98D-3D84-9146-FC4EDF3D5641}:.Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664..vc_runtimeMinimum_x64.msi.@.....@....@.....@........&.{F8853551-4D30-4D6A-B36A-93EFAD4EEE03}.....@.....@.....@.....@.......@.....@.....@.......@....:.Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.40664......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{BC1F4291-6F0A-38EB-984E-C2E555837FE1}@.02:\SOFTWARE\Microsoft\VisualStudio\12.0\VC\Runtimes\x64\Version.@.......@.....@.....@......&.{E5B92048-5859-4AF1-AEAD-B97EBF00B087} .C:\Windows\system32\msvcr120.dll.@.......@.....@.....@......&.{570C624B-D57C-4CD1-9013-1B80C800093B} .C:\Windows\system32\msvcp120.dll.@.......@.....@.....@......&.{14E8634F-8AEA-4CD1-AC48-BEBFDA18523A}#.C:\Windows\system32\vccorlib120.dll.@.......@.....@.....@......&.

                                          C:\Windows\Installer\MSIB88B.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):10712
                                          Entropy (8bit):5.724508851128765
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:8BD9B4DB186E2EAF105A826E17D99C91
                                          SHA1:239428C1955081365AE64F8074A4E291877C2AED
                                          SHA-256:F58A2E667098FD258A7D9F0BEF12AB04D05D2BA7F66F57A585543106B8766F35
                                          SHA-512:3E5DF669E21E705F6FC1AE03C048C06609EC2A0D418426D43D4DAD8EF82D1F85ADF4E7981A75F32B7C139E76D6E02952E50FF39CEB5A1BAC65DAA79886A07C76
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@y.-Z.@.....@.....@.....@.....@.....@......&.{010792BA-551A-3AC0-A7EF-0FAB4156C382}=.Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664..vc_runtimeAdditional_x64.msi.@.....@....@.....@........&.{A1135D47-2E01-4DE6-AB19-25679EC5D3CF}.....@.....@.....@.....@.......@.....@.....@.......@....=.Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.40664......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{191E6DE4-E7B2-3CE9-B48B-25D0FFF3D88E}@.02:\SOFTWARE\Microsoft\VisualStudio\12.0\VC\Runtimes\x64\Version.@.......@.....@.....@......&.{E70078E7-D25B-421C-A415-0AB472053F72}..C:\Windows\system32\mfc120.dll.@.......@.....@.....@......&.{7D2EA505-A879-4E71-8632-F3DE9B679CE6}..C:\Windows\system32\mfc120u.dll.@.......@.....@.....@......&.{1F74928D-AA17-468C-A7D7-6A730A8DB25B}..C:\Windows\system32\mfcm120.dll.@.......@.....@.....@......

                                          C:\Windows\Installer\MSID36.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):8325
                                          Entropy (8bit):5.7698465778550565
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:035875C674EC7FB46CB79B5D23FA39B1
                                          SHA1:A8C66CE897496FD33A62D12670B28085E2290576
                                          SHA-256:8C23BBF9E327C9018898DD080DE2E7D363C6C932729B28E45B493E5557397076
                                          SHA-512:C6AE355FBEDD4A51A4C20ECA07165D28DA10E25F812D7E0047322D0DAD8781DDBA40BDC82CAC3BCFF381852275E613FD5C5CF883ACC2A5E24964018D0564E25A
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{0025DD72-A959-45B5-A0A3-7EFEB15A8050}>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532..vc_runtimeAdditional_x64.msi.@.....@..$..@.....@........&.{DD2B5EB1-E08E-45CD-8D47-2D0457D64BA3}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{9B0BAA88-E15F-3A1F-ACC0-B206E9DDF71C}....&.{DD2B5EB1-E08E-45CD-8D47-2D0457D64BA3}c.&.{9B0BAA88-E15F-3A1F-ACC0-B206E9DDF71C}............ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}&.{0025DD72-A959-45B5-A0A3-7EFEB15A8050}..&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}...@.....@......&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}&.{0025DD72-A959-45B5-A0A3-7EFEB15A8050}..&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}...@.....@...

                                          C:\Windows\Installer\MSIF1B.tmp

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):10152
                                          Entropy (8bit):5.679856717761794
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C1C4DE222461F325BC474097AE442B30
                                          SHA1:91529CBF850000DB263B0EB350E8B3F952CFCA41
                                          SHA-256:195520054236279D741F6CAD70762053BB61B7AF268DE7E2AC6872C7FA831FB2
                                          SHA-512:B24D8B87A952CEE78CF962632BD9DCC0F049ED65F753D2BFEC327A1FC593FEDEE5B1FC15F39BBE33B338FD6B4802CA292EF2027AD4B6B0AB082466FC76DA055E
                                          Malicious:false
                                          Reputation:low
                                          Preview:...@IXOS.@.....@..-Z.@.....@.....@.....@.....@.....@......&.{E1902FC6-C423-4719-AB8A-AC7B2694B367}>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433..vc_runtimeAdditional_x64.msi.@.....@..*..@.....@........&.{E04E511C-7D1F-4263-AB6A-F816392FD4D7}.....@.....@.....@.....@.......@.....@.....@.......@....>.Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration.....@.....@.....@.]....&.{3639FCCA-5969-316D-AC18-E0C6B2B532E9}@.02:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X64\Version.@.......@.....@.....@......&.{D2959D22-4DB7-32AF-A1B0-8405C4221749}@.22:\SOFTWARE\Microsoft\VisualStudio\14.0\VC\Runtimes\X64\Version.@.......@.....@.....@......&.{99A922E3-648F-3C37-8AE6-78232F317B1E}..C:\Windows\system32\mfc140.dll.@.......@.....@.....@......&.{8924DA15-E863-388D-A06B-E7A3931AD77B}..C:\Windows\system32\mfc1

                                          C:\Windows\Installer\SourceHash{010792BA-551A-3AC0-A7EF-0FAB4156C382}

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.2084996511762145
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3E6976DB7931B1FDBD3AF1489272990A
                                          SHA1:43CD5EFA590D84BFB64BEB27ABAA83F40F0FBE91
                                          SHA-256:EC19AFEC025C082EAE155FE70AB546D93844C1AE6DE09E31FB0CE420C89368B4
                                          SHA-512:E5A0F4994CD99ABE87F7306E01A00AC85B1DB59B485DB0AD794FD08370C2A736B2B75363550CD103C9E7332A8100A709CBCA891570FA9A752605A2767E01B3CE
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\SourceHash{382F1166-A409-4C5B-9B1E-85ED538B8291}

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.2061450811229038
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3331E6B0C45C96AD87117E29570F4AA1
                                          SHA1:9FDDBDA3CADA641E8CB5E8C7D8267B848C15AA40
                                          SHA-256:E4DB35BD140327190AFE244DB8F6A5BC233EBE651321D35270A08F78637FCACE
                                          SHA-512:B0403E2CF31C9B160313E74EC1C90226604147E158D42F8F443D9BA9429BD5BE05D16961789AD56BDFAB29AC03E2E7E5B844817D5724B794C0B3C40AEEB7E797
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\SourceHash{53CF6934-A98D-3D84-9146-FC4EDF3D5641}

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.206990306178728
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:B1C201C6C1BE8E8D92F3DB9838246A02
                                          SHA1:49E0EBF1E9106CA9F24F9C59C991A04AA6945B75
                                          SHA-256:C998AF03B5CBA73F1A296B324C45C6223749FFFDD2B2F0DE87885EE5AA83F06C
                                          SHA-512:2A26535F01F6301732E478D314CAE489F7868BC73C63D1EF761E7FF8F9C8AE89DE1682514CF32A7AC8CF1199A78596F7093102F53499DBD1EFC54C4AC0BA7912
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\SourceHash{E1902FC6-C423-4719-AB8A-AC7B2694B367}

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.208013892538418
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F810B8A10014E4029CE0625C3420F171
                                          SHA1:A96DA48EE3D3679B8A3DED8504314C66D553BB0D
                                          SHA-256:FE7A369CEBCC936B7E340D94DE9481F26064BD2549B862611B69C607F962F865
                                          SHA-512:7F8A75FC0A7735F99598ECE33009646078205D90CA5519AB96215CF146E25B72FDE21032D651F79D67B9DACA004FC6B6F4F94B991E515B7A2C19D2A7D695CC34
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5702617092973745
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FCC3534800303083102E692518997607
                                          SHA1:9122D7800A4D24F4ACD59AEB994A4737D55B55D4
                                          SHA-256:8324590A01C123FCC4F15797197554077BA0F291A7CE302DC7D997F257DECDC5
                                          SHA-512:6E7079135475ACBFB2C395C5C3A05E5392C9CBC2B1E297A31E7D4C10132712F0D33F032FD7D10EF46F5F5D665A52F23B236DA0848DD8BEEF514847CE2F221C9E
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):432221
                                          Entropy (8bit):5.375163879035266
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:8F982C276E8C790BCB0661DDE721108E
                                          SHA1:B12B4AC7B639E2B6B3CD113443721A7D96F68DF5
                                          SHA-256:4015503BE4B01CF5F538EA39AB65E6B98DA37BB1D9472EA19C6A10F003E61390
                                          SHA-512:2DCAD606C497F55773245D6F0064A32181CC8190B637C7118E3A9BC389A890BDBA35BC284804E7A377A0DE557F9B462B137581F49B0A3F8A4285A554DDB31C58
                                          Malicious:false
                                          Reputation:low
                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                          C:\Windows\System32\concrt140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):322640
                                          Entropy (8bit):6.349528011750681
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:8FC1C2F2EBB7E46DF30ECD772622B0BC
                                          SHA1:168BE3B4545DC617B99D0598565A03C0366820E4
                                          SHA-256:E2E4609C569C69F7B1686F6D0E81CE62187AC5DF05E0247954500053B3C3DE3F
                                          SHA-512:6F3EC746EC10334692E930B515A37F3D5BD342CA60A49C4298924BE933262D7D782DE8A11D4F865A30A5AA22C5515059E3E39A92A61AE5FAE53622CEAA7D5C4B
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........i.H...H...H.......J...A...B...Y|..O...H.......Y|..L...Y|..@...Y|......Y|..I...Y|..I...Y|..I...RichH...........PE..d....i............" ...*.............................................................?....`A.............................................M...................p...5......PP......p...."..p...........................@!..@...............0............................text............................... ..`.rdata...H.......J..................@..@.data....?...0...:..................@....pdata...5...p...6...V..............@..@.rsrc...............................@..@.reloc..p...........................@..B................................................................................................................................................................................................................................................................

                                          C:\Windows\System32\mfc120.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5608096
                                          Entropy (8bit):6.663647971077495
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:47999145F1B48D94E732420A5F3E405C
                                          SHA1:29A8A95C4F8824CCD7BC14CC4CADA0545A8DFEF1
                                          SHA-256:FB83E940B281947CC8659611EF6AFA75C21A6626B1E70565D0A573F22A48B55E
                                          SHA-512:F13A52E9444AEE274092BE544C8558ED1BDF58046C983AF49815C6D75C4FD41A361917F3CFC07B3FCAEA69A628D23E7684E4BE939904CE473FC9A4D771355733
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........o.d...7...7...7..67...7..)7...7..(7...7..77...7.\$7...7<.>7...7.\.7...7.\.7...7..27...7...7...7.\&7...7.\.77..7.\%7...7.\"7...7.\'7...7Rich...7........................PE..d...*.&Y.........." ......*..d+.......(...................................... V......:V...`..........................................%:.......;.......?.......<.l:...TU..>....T.pl..p.*..............................3.p.............*.......:......................text.....*.......*................. ..`.rdata..$.....*.......*.............@..@.data...xj...`;......@;.............@....pdata..l:....<..<....<.............@..@.rsrc.........?......N>.............@..@.reloc..pl....T..n....S.............@..B........................................................................................................................................................................................................

                                          C:\Windows\System32\mfc120chs.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):46248
                                          Entropy (8bit):6.136845158865701
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:7F9A33DECCBDB7E47C8AB3B748EC4144
                                          SHA1:88A78F8494489CC12907F530860B3299304DB1FC
                                          SHA-256:64920E61862E4FEEAF321D2A3F80EAB3438E8CDE38089DBD6AE1AD045F750B2C
                                          SHA-512:67B329CF7D6AAA3C4DDBB02087F8BCC5B032687F616C8A4A4031FC7F38DC00DD43E96B98AE7C441B48184D3B4323144511379041E94A567945E85F31D2C5676E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." .........t......................................................o.....`.............................................................(s...........v...>...........................................................................................rsrc...(s.......t..................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120cht.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):46248
                                          Entropy (8bit):6.179175448870857
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:35BDE055469E774C815C7EFF219A08EE
                                          SHA1:31E02484E626C8475286E8E5DDFCEA2ECD28A279
                                          SHA-256:E97AD479A4139ADAC6399655551348BFC289D84B1B3F22B2415F1D26BC899BDF
                                          SHA-512:4810930577159A78D66708E3077DF1794F0C7ADCAD19A9114439ECACD2E8499973BFB632590D8202EA0C087110A70B1A23AEBE9AB34387C4DD259C3543CE36D4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." .........t......................................................A'....`.............................................................Ps...........v...>...........................................................................................rsrc...Ps.......t..................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120deu.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):74920
                                          Entropy (8bit):4.756491883843184
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:6B2530874F3E108A4F98DB91446F0724
                                          SHA1:8E0D8707AEA0ED3DA2EA5CB72CAF6D3A6399259C
                                          SHA-256:B2772DB0688B3C86134A1969BAE17FD6AAE1C8240A1F5910C0A724522ABCC581
                                          SHA-512:D29FB6375A1E85CEC3D09C28A8FD121A1A155AE1B51C7D3D6CB2B6C9F5F4AF73EA90CBFF9E8F80A16F90AB66CA907838D4D662300112F8D6110146C4A36EFBB2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." ......................................................................`.............................................................P................>...........................................................................................rsrc...P...........................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120enu.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):65192
                                          Entropy (8bit):4.903639829726367
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:740ABD194F5E72E3980CF622E6CB41AF
                                          SHA1:FB52B9B8ED399AC267C7117A457945305082FF73
                                          SHA-256:40A552625932701B7D300E36D46B79A352256406F8FE1046D66B8DA06636E421
                                          SHA-512:0D8226C53E5F3FCF0009EC6CD9B518E276040CE0B367289C118D8FD623440A0583387B2753776BEB83D6588E982DA4093627FAA0A22443DD36868766799DD8B0
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." ......................................................................`..............................................................................>...........................................................................................rsrc...............................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120esn.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):73896
                                          Entropy (8bit):4.729774877721125
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D78CE649777F9E35D2F014A7074BAB72
                                          SHA1:1739E8362581CD9EB2BA36746823A19718EE8BB8
                                          SHA-256:418C8454E90E20357A91D0D3256C2E944C8578F65B5DE169823037CAAE1DAFC6
                                          SHA-512:AAB61F05D05BB9E8CC1523DCB39D8F429A0686194658C41484425B588877BD96A920C07A52113382363F0CDC8BD25CDA60932EF8F074FAEEDE58EDF9B76BB8CA
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." ................................................................[.....`..............................................................................>...........................................................................................rsrc...............................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120fra.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):74920
                                          Entropy (8bit):4.743165612876026
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:13FA0653A0CF0E5D6E83859E447F2303
                                          SHA1:8FBFAA952FE68AE9D6A64A487ED41190796E9C29
                                          SHA-256:55583148630EB2AB63F387AACEBE00562CBFD4068FFE3DBDE234C5F410F7FE24
                                          SHA-512:BD7158FD33D27A6AFC44E6FDFAEDF4C76D8004FCED11A10688D7E02DD58BAD1A2197121861E387F33E0670296A0565EADDB5A9FD496FA6ED741DC2F9AADF07D7
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." ......................................................................`..............................................................................>...........................................................................................rsrc...............................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120ita.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):72872
                                          Entropy (8bit):4.7396852722353655
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3516AE713FE141DF351540D639B8C98D
                                          SHA1:FBE0B4685ABA672A08146B11DD080D87C803D78F
                                          SHA-256:8161B0C144A5B243C42A0F7A42075B319495E9E7B0853DE50B239187AF1EBFC1
                                          SHA-512:559BE2E05F8385C68D693950F417EF8CAE396736B5BA3435DFBEDED5F20942E27E652FC1B9647C0455ACFB69193DFE9A68ADF8D211AE830580FB772F4FA54DB0
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." ................................................................&.....`.............................................................h................>...........................................................................................rsrc...h...........................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120jpn.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):53928
                                          Entropy (8bit):5.973287205154736
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:49E6BA38DE51D6FD0F333EF9A6150217
                                          SHA1:4E780114C1E3C7DC4AB197F1518B50327AFB1616
                                          SHA-256:97B63B34B59196BAC34A2AD26EEAE5812AFFBC643174F64AA142BE3CA6BBCAD1
                                          SHA-512:1F7CA2DA137FB7B282C2D55599552B77A9E42E25B6E4FD2071D341D7EA74EB4A6EB7A6826CB5E945689781767FE7E99F818D4696E211809DEC0EBFF66F0F6EAC
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." .................................................................\....`.............................................................................>...........................................................................................rsrc..............................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120kor.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):53416
                                          Entropy (8bit):6.099615087976641
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:79114C9DF498F70195DDC93AECAAF726
                                          SHA1:48B362EDFD4093793A9631463A15825098A18DBA
                                          SHA-256:4327E89BAF445830750E05F3510E4B84E83F6700E63DB028544107534BCEA783
                                          SHA-512:EF2B1D58EE75578F4BE123424BC2F73371B85D631985C73308319F6740F73F4790DDD45376C6EF420636576ED279184B8661A2DAC3C8FA3A0FEE1FD39D39834F
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." ......................................................................`..............................................................................>...........................................................................................rsrc...............................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120rus.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):70824
                                          Entropy (8bit):5.288774786800738
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:36FDC1F74D583543E82B17BCC59ACEDE
                                          SHA1:1387093951C180340FAC724832A0B83834E5700A
                                          SHA-256:EE413BF57E7FD579003B4FABE5A08E94A9E194A6AD1FBD0FD34DBF7D009BB68A
                                          SHA-512:5745E4A3C887AEBB5A6FB3FCB198BA313BCE2F231053FA54F906D0BFAB9DB05F5A5AC9835CEE435C6713EF147B5C564DD318E08A51E7F2C79F996DDF03E80359
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U|.U|.U|.X...T|.X...T|.RichU|.................PE..d.....&Y.........." ................................................................A.....`..............................................................................>...........................................................................................rsrc...............................@..@............................................8.......P.......8.......(.......@....................>..X....................>..p....>.......?.......?.......?.......?.......?.......?.......?..0....A..H....B..`... B..x...AB......BB......CB......VB......lB.......B.......B.. ....B..8....x..P....x..h....x.......x.......~.......~.......~....................<.....................(.......@.......X.......p...........!.......(.......).......*.......,.......-...........0.../...H.......`.......x...........................

                                          C:\Windows\System32\mfc120u.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5634720
                                          Entropy (8bit):6.648198427709692
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F7D3FC7C0ED92E2DE47F7F85B684A51A
                                          SHA1:1707DA9AA8460CB65AC7946805CEC12CCA6DB8B3
                                          SHA-256:D822EC4E09FDF5446E62C09CF5819146F09A4670F77AAA81E4133B912592F1F9
                                          SHA-512:FBCABF3B8CCE40A9829FB9894CDB751662CC3A3B41F962691075D7E5D18831AD8C43C697E7919B4B1E96288015BE3544637DED1AC0427844F810BE6C2F221A1D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........w................6.......).......(.......7......D$.....<.>......D.......D........2.........Y....D&......D..7....D%......D"......D'.....Rich............PE..d...*.&Y.........." ......*...+.....@.).......................................V.....LlV...`...........................................:.,....d;......p?......0=..<....U..>....U..m....*.............................0.4.p.............*......s:......................text...L.*.......*................. ..`.rdata........*.......*.............@..@.data...8m....;.......;.............@....pdata...<...0=..>...x<.............@..@.rsrc........p?.......>.............@..@.reloc...m....U..n...NT.............@..B........................................................................................................................................................................................................................

                                          C:\Windows\System32\mfc140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5622864
                                          Entropy (8bit):6.7472704207598255
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:277949968E022B74D4370E94AAA70D76
                                          SHA1:0902D716F2966DFBC8ED32237F00DB52FB1A9EA9
                                          SHA-256:3916D6406CBD63B81300989EFF24042FD16A1344EDD9904E6093A1619853B9B8
                                          SHA-512:3452E7DD91158AE1474DBD838C5AFB4F281F4A0F0D0C9F665506108555DC087C9086257D70643F7281200C19638D4059679E9D1E610F8E935A447428D32B38ED
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......7.qs.."s.."s.."8..#r.."8..#r.."8..#i.."z.u"g.."b3.#w.."b3.#{.."8..#`.."s.."a.."b3.#i.."b3.#.."b3.#u.."b3.#r.."b3."r.."b3.#r.."Richs.."........................PE..d......%.........." ...*..,...(......&,...................................... V......\V...`A.........................................C:.d...D.;.......?.`.....<..5...|U.PP....T.,o...O5.p............................A..@.............-......0:......................text...\.,.......,................. ..`.rdata...u....-..v....,.............@..@.data....4....;......j;.............@....pdata...5....<..6...8<.............@..@.didat..H.....?......n>.............@....rsrc...`.....?......t>.............@..@.reloc..,o....T..p....T.............@..B........................................................................................................................................................................

                                          C:\Windows\System32\mfc140chs.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):51304
                                          Entropy (8bit):6.319038641792757
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:9CBBA8B64FEB8167093BEF01055D4547
                                          SHA1:4E95E671E9D818764ED76F4AE5D9A4BEB1ED24EA
                                          SHA-256:1DDE587FEABACF34CE435DB596815563732F3E42E595EE5C0766115483FA22AB
                                          SHA-512:694BEA161CE3E0E6C17BD8A84E14FA83FFFE122F833808D586BB8D67546553A711B417433AA14D963DF6F82D52118428721F2C8932DE52E324E2CA27CEDFEB80
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d.....v.........." ...*.....v............................................................`A......................................................... ...s...........x..hP..............p............................................................................rdata..t...........................@..@.rsrc....s... ...t..................@..@......v........X.................v........l.................v........$...L...L.........v............p...p...........................RSDS.i}...W...r.......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140CHS.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02.... ....i}...W...r...S..&7........v........................................................................................................................

                                          C:\Windows\System32\mfc140cht.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):51280
                                          Entropy (8bit):6.3571761032627
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:67AAD6CAC0716E4B9A2ED43319FF3BC4
                                          SHA1:EEF641F1E2601ADFEEE172F07A51D15FBE8DAA83
                                          SHA-256:97296F66478F3DDE87565A867F159E98C0B751C067491978D26987EC8609B334
                                          SHA-512:E0F034831D535DFECAAC8A98454F6A982FE89FE7B14B5F8FE35FF15EBFD4E64AA74830520654DC94CAD46BBFA13F5A32D756789720B564C3791212C6F74C41FC
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...,/............" ...*.....v............................................................`A......................................................... ..8s...........x..PP..............p............................................................................rdata..t...........................@..@.rsrc...8s... ...t..................@..@....,/..........X...............,/..........l...............,/..........$...L...L.......,/..............p...p...........................RSDSJ.v....y..3.@+....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140CHT.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1...a...rsrc$02.... ...J.v....y..3.@+...x..9CX...,/..........................................................................................................................

                                          C:\Windows\System32\mfc140deu.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):79976
                                          Entropy (8bit):4.994443234085317
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D97E3D56F2ACBD54671CDC2496AA02B5
                                          SHA1:D5943EF3E74C98734B43630C9FD7F6B123FD2FA3
                                          SHA-256:F0D3A39951FCCF41429E087BF87523C261B292AEF2416BAD6C606C3A8EC3799B
                                          SHA-512:B2C33A9BC9B4D174804C14FE3DB71306149B36CE760C2939D8FB8FB4E6F34DFCB3629FA5CE7F6BADDD6BBA4297D7BE9B84FCA45B5F3BD70CE7893ADC7C05C868
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...{............." ...*............................................................M.....`A......................................................... ..0...............hP..............p............................................................................rdata..t...........................@..@.rsrc...0.... ......................@..@....{...........X...............{...........l...............{...........$...L...L.......{...............p...p...........................RSDS:.lg..&.9...n....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140DEU.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02.... ...:.lg..&.9...nu..j.[....{K{...........................................................................................................................

                                          C:\Windows\System32\mfc140enu.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):70256
                                          Entropy (8bit):5.150852428474578
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D92BAFE14939B60093AAE336340D4CFD
                                          SHA1:8E017CF296BAF7D6EB9C47A7C688FC8C3FBB7FE7
                                          SHA-256:DC7BBA5E343A56E61BBC90DD497ED397339731FCD50F42B0D7825BC787EE16B0
                                          SHA-512:784FFFAE7A50F6991828C4113719426DE083D60B52490E9034FB29C5C32787C252456ADE1753D493367BBCC06039C620E220C2A4A278AA8057A239C25B7A5152
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d....N.7.........." ...*.............................................................U....`A......................................................... ..................pP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@.....N.7........X................N.7........l................N.7........$...L...L........N.7............p...p...........................RSDS...]n.j..5.K......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ENU.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1..0....rsrc$02.... ......]n.j..5.K....}.o.4...{..N.7........................................................................................................................

                                          C:\Windows\System32\mfc140esn.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):78952
                                          Entropy (8bit):4.971589823131607
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5110F40A05DBC4CCC02260ECC2A002CA
                                          SHA1:DF3B1EAC64186ECB08D7D11966037B879AB3112C
                                          SHA-256:F8C5517246DE29946CDCFD46EEEE6D021FF9271C2ED806BCD37572C8E44AC9FB
                                          SHA-512:65F1E857E4B2DEF041B423AA803AAAD6BA5543320085362EB9944ECC2ACEC08007081C5F068550FC3A610AA2B2D7592BF5F5F49BEE80091C7A704CE727460D92
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d.....y..........." ...*..................................................................`A......................................................... ..................hP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......y.........X.................y.........l.................y.........$...L...L.........y.............p...p...........................RSDSLsK....}...[.......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ESN.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1..`....rsrc$02.... ...LsK....}...[.......8..qn....y.........................................................................................................................

                                          C:\Windows\System32\mfc140fra.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):79976
                                          Entropy (8bit):4.975449677987261
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D2A0439EBD5E8CFBFECFDA82C0EF2669
                                          SHA1:CD8E8639F8B0F8526A7297255FD97DD2CD22BF5C
                                          SHA-256:F5C53DDF07223DD3DC25276DE42FC3958EC1B9EE6EB4F385680159C056B6F22E
                                          SHA-512:57C12D3F1F4DA9177165F09477287826BE1C221BBCA18AEAE5D4CC840DE3AEA3CB0C6317A43714FB8DD13E1E186A654275EA62D7C286A8DC2E04A6D17332B7D5
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...f]............" ...*.............................................................T....`A......................................................... ..x...............hP..............p............................................................................rdata..t...........................@..@.rsrc...x.... ......................@..@....f]..........X...............f]..........l...............f]..........$...L...L.......f]..............p...p...........................RSDS.S8...4..C...+.....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140FRA.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02.... ....S8...4..C...+..O......_...f]..........................................................................................................................

                                          C:\Windows\System32\mfc140ita.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):77936
                                          Entropy (8bit):4.979078290008832
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C081990436336CD6A1FE8E6986FA004C
                                          SHA1:DCBF030AE874A24AA266C57E0676869ECA9739AE
                                          SHA-256:37BBAED22D80172C5BD8019DAF95B9C8C051E561AACF232E6C07A09E702B2273
                                          SHA-512:2C0CBDEF8F8BAF3969FC8FC0345B2E75737FB368AD6D31A030741EDC4168EAB450A6608F783C7CCE81AD77DE1BBF3520D44A1A062458090F02ABCEC08576A0B0
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d...<.wz.........." ...*..................................................................`A......................................................... ..X...............pP..............p............................................................................rdata..t...........................@..@.rsrc...X.... ......................@..@....<.wz........X...............<.wz........l...............<.wz........$...L...L.......<.wz............p...p...........................RSDS...}.....>#..L......D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140ITA.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.......rsrc$02.... ......}.....>#..L..4...P...Z.H.<.wz........................................................................................................................

                                          C:\Windows\System32\mfc140jpn.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):58960
                                          Entropy (8bit):6.151712284541509
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D9B8C007A3B3D0CAB3B7CE95CD93B4ED
                                          SHA1:4509FF52489358475BC83D569F0011DB8CBF53A9
                                          SHA-256:0CFC2226385F2EE8FAC530B1DE72B87B3BCDD14732A23A545F989E38E965A822
                                          SHA-512:71755ACFD4031F9EAE868431A056C3E37F49926AB78EE7E2EDB956CB42F675A384D416DA6F48D107B0C5D8AD382618C1091E18A4AFF5DFCA757667D56E4C8DDB
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d......_.........." ...*............................................................,.....`A......................................................... ..................PP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......._........X.................._........l.................._........$...L...L.........._............p...p...........................RSDS.....~.x...!.@....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140JPN.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1..p....rsrc$02.... ........~.x...!.@. .LL<........_........................................................................................................................

                                          C:\Windows\System32\mfc140kor.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):58472
                                          Entropy (8bit):6.272332121552409
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:E10B9371A0746AF285BD2C78931CAB4F
                                          SHA1:3FA036FB2882C5C9457DD436951CAC12AB6060A7
                                          SHA-256:3D3E43E6F2E305F7F2FC97E74E4CEF7037A56E075AB41FB359FA445AB5CBB786
                                          SHA-512:80717FC26B2438955770FED6EDAE0E2FB49AC8FAB57AF3B827275C2FFD1F8A563803983C1A2E206FD5940DF0705FF1EC1526F1C0C9A4E87D750CC8FE1D8F9385
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d..............." ...*..................................................................`A......................................................... ..................hP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@..............X.........................l.........................$...L...L.....................p...p...........................RSDSb)'.]E.r....5C\.....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140KOR.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1...~...rsrc$02.... ...b)'.]E.r....5C\.4.......FfEB..........................................................................................................................

                                          C:\Windows\System32\mfc140rus.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):75856
                                          Entropy (8bit):5.502784487678861
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FAAB772287C97342BE72B98443575F04
                                          SHA1:2296D3CF50C75DEB4DBEFDCE939D9EE1D0FE9E27
                                          SHA-256:577E3273049C6E4115030B3D2A1977AC4265C246697583CEB28A4E99457199A6
                                          SHA-512:960D7CACBA0D059E820D39DAFD245CF30203819634521D905B6EF001FDE43A3C9A7876BD95595FACB5F152F4042B1C80E16A04EE05BD41C65464E927569212C8
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......!-=.eLS.eLS.eLS.t..dLS.t.Q.dLS.RicheLS.PE..d.....y..........." ...*.............................................................G....`A......................................................... ..................PP..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......y.........X.................y.........l.................y.........$...L...L.........y.............p...p...........................RSDSj.w....W.K...~.....D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\MFC140RUS.amd64.pdb.........p....rdata..p........rdata$voltmd............rdata$zzzdbg.... ..p....rsrc$01....p1.. ....rsrc$02.... ...j.w....W.K...~.:..L...E.YL..y.........................................................................................................................

                                          C:\Windows\System32\mfc140u.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):5658192
                                          Entropy (8bit):6.729941320562663
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3D3FD261916A8327667BBD66C4C53C80
                                          SHA1:DCE287AD815A91C4F80EA05F565C47A605E0F07A
                                          SHA-256:DD502923934ED248EC3A1417142306542C8023536637B650AFD8930859A9B2AD
                                          SHA-512:9E7EFF71B829F24F65B5A4CE5DC429AEB4BC8F5F188F83B17FC8796B610B541E13849AD4A7B98CE11E0E6675F9016D7E6A9D81280D1F7AE054E8AA072B522F08
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......+.qo.."o.."o.."$..#n.."$..#n.."$..#u.."f.t"{.."~3.#k.."~3.#g.."$..#|.."o.."o.."~3.#u.."~3.#..."~3.#i.."~3.#n.."~3."n.."~3.#n.."Richo.."................PE..d...g..q.........." ...*..-..P)......N,.......................................V......`V...`A........................................0.:......;.......?.`....@=. 8....V.PP...0U.<p....5.p............................q..@............0-.X.....:......................text.....-.......-................. ..`.rdata..V....0-.......-.............@..@.data....7....<.......;.............@....pdata.. 8...@=..:....<.............@..@.didat..H.....?.......>.............@....rsrc...`.....?.......>.............@..@.reloc..<p...0U..r....T.............@..B................................................................................................................................................................................

                                          C:\Windows\System32\mfcm120.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):91808
                                          Entropy (8bit):6.334619249503521
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:480F828BD5B34C59C288F55CB363CAD2
                                          SHA1:95499B7F1005666FB5D273C1B96E8FD239D95866
                                          SHA-256:431E7373DEE1EEE2AB86588DEA061394EDF14A364C026DD47582D982BEFB1D78
                                          SHA-512:C55021AC4B34F32B0C5BDDA842FC52756759723B57DA0F82407291EB928B90C71AA6F61C74B209DE14132530C4BD0DE838C64D34E6F746C76E10342001C67122
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8k..|.zC|.zC|.zC...C~.zCbX.C~.zCqX.Cx.zC.C}.zCqX.C}.zCqX.Cw.zC...Cy.zC|.{C..zCqX.Cj.zCqX.C}.zCqX.C}.zCqX.C}.zCRich|.zC........................PE..d.....&Y.........." .....@...........I....................................................`..........................................).......*..x....`.......P.......(...>...p.......d..............................@h..p............`..(...........8e..H............text....:.......<.................. ..`.nep.........P.......@.............. ..`.rdata.......`.......D..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........`......."..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................

                                          C:\Windows\System32\mfcm120u.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):91816
                                          Entropy (8bit):6.335643438000401
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D739C219492AEA851D4B71127B310E83
                                          SHA1:488401EC9413C025C5A7CE9AEDC0B7629579A4A6
                                          SHA-256:F0CFCC1A9CD9B246B53FE14FA2F77975763A6DE5FBB3A98CF5EA622BE0C62CEA
                                          SHA-512:A1DD96D1E3BD21382879C0B68B81B2740C14F5DAE9490800A9BD8534A7CF13030163D4149F56E602B903E4DF23A7F0B0B5B3F0F294E1C30B7BEBC4F89D971D7C
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8k..|.zC|.zC|.zC...C~.zCbX.C~.zCqX.Cx.zC.C}.zCqX.C}.zCqX.Cw.zC...Cy.zC|.{C..zCqX.Cj.zCqX.C}.zCqX.C}.zCqX.C}.zCRich|.zC........................PE..d.....&Y.........." .....@...........I....................................................`..........................................)......p*..x....`.......P.......(...>...p.......d..............................@h..p............`..(...........8e..H............text....:.......<.................. ..`.nep.........P.......@.............. ..`.rdata.......`.......D..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........`......."..............@..@.reloc.......p.......&..............@..B........................................................................................................................................................................................

                                          C:\Windows\System32\mfcm140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):96416
                                          Entropy (8bit):6.387028558514212
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:58B613899800EB4B690984E1C78BD31F
                                          SHA1:D827BA4A4E59C78D11C61B9C5BE78C8DDD5B74F4
                                          SHA-256:9B53E19B5F96DE66CD3992169009146AD08F2F042CC0AED4191E1F0B1068891F
                                          SHA-512:9767AD3BD377DF7E3818E98FDAC794F5147FAECA9680DB568E96BED173206B71FE59FFA2B031A182BACC37EA440D329BF03FE3EF30EA72CE655EEBE2DDC6B677
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f...f...f...-..d...x.s.d...w\.`...w\.e...w\.n...o.s.b...-..c...f......w\.A...w\..g...w\..g...w\.g...Richf...........................PE..d................." ...*.F...........P....................................................`A........................................./.......0.......p.......`.......(...P...........y..p...........................px..@............p..x............u..H............text....A.......B.................. ..`.nep.........`.......F.............. ..`.rdata.......p.......J..............@..@.data........@......................@....pdata.......`......................@..@.rsrc........p......."..............@..@.reloc...............&..............@..B........................................................................................................................................................................................

                                          C:\Windows\System32\mfcm140u.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):96384
                                          Entropy (8bit):6.3866070308269265
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:76D7D08147A8F109A69C7A9871D3BED7
                                          SHA1:E7DC5E4AE364998A555875EC7AA1614CEE78D87C
                                          SHA-256:99328025DD44FBF310280E83CB0F17AA0D0420446A08768A8910D70B6D8C94F7
                                          SHA-512:BDED655AEFC386ECA685A0B47285CCBBB090DE4D654C88198C7CA87AF4FC9F7C7BDF3268D7E0414263100E03F6B7AD7CD087CDB9DBD6062613BE47AF5B23CF59
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f...f...f...-..d...x.s.d...w\.`...w\.e...w\.n...o.s.b...-..c...f......w\.A...w\..g...w\..g...w\.g...Richf...........................PE..d....o............" ...*.F...........P..............................................v.....`A........................................./.......0.......p.......`.......(...P...........y..p...........................px..@............p..x............u..H............text....A.......B.................. ..`.nep.........`.......F.............. ..`.rdata.......p.......J..............@..@.data........@......................@....pdata.......`......................@..@.rsrc........p......."..............@..@.reloc...............&..............@..B........................................................................................................................................................................................

                                          C:\Windows\System32\msvcp120.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):659624
                                          Entropy (8bit):6.34353451383787
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C2028BA6C66363B36EA659CA8816265D
                                          SHA1:5E2BDA10AD417466290DC08FD6EE8BC5FCF0EBBD
                                          SHA-256:3B92E964404E3F94531E7D7C4C7419561D9ECA6ACCD98DC3979C9E3596DB444C
                                          SHA-512:28E87D7360C4BD2EB30152173DA6FDF30340B5FF0186A68F26514088DCC15758851AFD01A179E976A91A9A85F9C1EE0CFA40308ED9D42654739ACF6F6DD773F4
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C..=...n...n...n..*n...n...n...n..<n...n.@&n...n..>n...n...n4..n...nJ..n...n...n..=n...n..:n...n..?n...nRich...n........................PE..d...0.&Y.........." .....>...................................................`.......>....`.........................................PU.. ...p2..<....@...........G.......>...P.......X..................................p............P...............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data........P...8...@..............@....pdata...G.......H...x..............@..@.rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................

                                          C:\Windows\System32\msvcp140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):575592
                                          Entropy (8bit):6.535312420736696
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:CFDF6EAF5328FECBDEC268B7F9E21F3A
                                          SHA1:100C8A08DE6544B8554A542AD55AF831F86565E7
                                          SHA-256:9057D39B36B6C7D054865EE2BF9CDE7A490FE3B01EC4E82514687E24F576269F
                                          SHA-512:A81FEB56AE3E4939ABB21597F4F60429B704E04E6C20FAC402A0518FE7B29606BF8824347A7570D98F3C44684C15BF6B520E350321BFC2A42EC5597989215782
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r..D...D...D....k..F...Mk!.R...D.......U...A...U...@...U...L...U.......U...E...U.M.E...U...E...RichD...................PE..d................." ...*.:...V...... $..............................................E.....`A........................................p2..h.......,............p...9...x..hP..............p...........................P...@............P..x............................text....9.......:.................. ..`.rdata..z....P.......>..............@..@.data...p8...0......................@....pdata...9...p...:...0..............@..@.rsrc................j..............@..@.reloc...............n..............@..B........................................................................................................................................................................................................................................................

                                          C:\Windows\System32\msvcp140_1.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):35944
                                          Entropy (8bit):6.653057193822569
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:6DD04C14A17CAAE50D068FC89D7D01F0
                                          SHA1:4D2D12D7A0139C8248F9F9266982562ED402B8DA
                                          SHA-256:A65249861238E1C18B84AE5D112617C438D83A76B67EDDC170AD82DBC2338665
                                          SHA-512:9C04F015728D0F57E7B91E888505A0A288064529BF72DFB1F2C5FC571DB40C2CC118782B8544BEBC4E26B8BD189667FE65D13289A4F347B2805FF5EC5B9646AE
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;.M...#...#...#.4.".}.#.v..{.#.n+ .}.#.n+'.x.#...".U.#.n+".z.#.n+&.k.#.n+#.~.#.n+.~.#.n+!.~.#.Rich..#.........PE..d....4.".........." ...*.....&............................................................`A.........................................@..L...LA..x....p.......`.......<..hP...........4..p...........................`3..@............0..8............................text............................... ..`.rdata..B....0......................@..@.data...P....P......................@....pdata.......`.......2..............@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................

                                          C:\Windows\System32\msvcp140_2.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):267880
                                          Entropy (8bit):6.5200682286945115
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:DDC38BB34DE28E1F42B6DEA9770D4D65
                                          SHA1:6FC98E48F5E738C82279ED0F445AC1DD9C4D02A3
                                          SHA-256:89E2E9A163165E20C540F9ADEA081E927DDFE4A556547B0F45F11586D4CCE165
                                          SHA-512:F4B07D80BE1E64F132DBC1AB2F29E4CA6B2CC589B348328937857CE9B578118497D6F39AFEBE49DD19E3665A8BAB92E441721613D4EBE873254AD0BEAD6F446F
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1U.zu4`)u4`)u4`)>La(w4`)|L.)y4`)d.c(v4`)d.d(}4`)u4a).4`)d.a(r4`)d.e(`4`)d.`(t4`)d..)t4`)d.b(t4`)Richu4`)........PE..d....\w+.........." ...*..................................................................`A................................................h...........................hP......x....R..p...........................`Q..@...............h............................text............................... ..`.rdata..............................@..@.data...`*.......&..................@....pdata..............................@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................................

                                          C:\Windows\System32\msvcp140_atomic_wait.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):50256
                                          Entropy (8bit):6.650307191256275
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:333727166AF151E95B05CB54550342CD
                                          SHA1:746504C9056B83D9AF6F800905B80E864AAEA5F4
                                          SHA-256:FBF41E4B53F51BBF73FEE37B6120103FEA6B7D5AE29916F8EF50C50CFDEDEEAD
                                          SHA-512:2D9FA95A068784A8E799362FAF97B42253DBD614DA504907ED01D1F7F3FDC56D1BB964B2009171EDA87149A595D84EC83D50DAFF30BE9BD6F7A3C76C75226C40
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........#B..pB..pB..p...qF..pK.|pD..pS\.qA..pS\.qJ..pB..p'..pS\.qE..pS\.q_..pS\.qC..pS\.pC..pS\.qC..pRichB..p........PE..d....w............" ...*.:...........>.......................................@............`A........................................0f..D...tk....... ..........8....t..PP...0..X...`X..p........................... W..@............P..H............................text....9.......:.................. ..`.rdata...$...P...&...>..............@..@.data...H............d..............@....pdata..8............f..............@..@.rsrc........ .......l..............@..@.reloc..X....0.......r..............@..B................................................................................................................................................................................................................................................................

                                          C:\Windows\System32\msvcp140_codecvt_ids.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):31824
                                          Entropy (8bit):6.837226224621119
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:208CD115A93175DB7A8EE80B97E0CC28
                                          SHA1:789E0DA53C321D7A64C1435F569FDBFB249DFACD
                                          SHA-256:0E1D3D76E899A89FB3893FB13ABAE232FF62AD4F573214DD2F02B8398166BCC6
                                          SHA-512:8E0BF76440D64D2331FA9988F81850F646A91335C02A2028877ADD6190CF4CAC533CF22825D2F0565B854075CF70FF86CD728E2114284F2321E52B1B47004DE6
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..(3{h{3{h{3{h{x.iz1{h{:..{1{h{".iz0{h{3{i{.{h{".kz1{h{".lz4{h{".mz?{h{".hz2{h{"..{2{h{".jz2{h{Rich3{h{........................PE..d...A..4.........." ...*............@........................................p.......p....`A........................................p(..0....)..P....P.......@.......,..PP...`..,...."..p............................!..@............ ...............................text...x........................... ..`.rdata..B.... ......................@..@.data...p....0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......*..............@..B................................................................................................................................................................................................................................................

                                          C:\Windows\System32\msvcr120.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):963240
                                          Entropy (8bit):6.63315431748134
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:B70474FE249402E251A94753B742788C
                                          SHA1:F53B3C21ADF75DC84977067869253E207F1B9795
                                          SHA-256:753AC30C30AAE62415CC225E3D057B8B6254AFE280696E0A43F1A7C3132632A6
                                          SHA-512:7776E05FE58CB3C12A4A020DEF9596ECFB6DC1B1F8CA010EC27A8AE027EADF1EEF901ACBAFE042E2F7B31D1920F62CE163342ACF37F96802EC27D68AC7BF972E
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'SuSu.u_'SuSu.u_'SuSu.u_'SuRich^'Su........PE..d...$.&Y.........." .....h...:.......)..............................................C.....`.................................................p...(............@..hs...t...>......<...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata..hs...@...t..................@..@.rsrc................^..............@..@.reloc..<............b..............@..B........................................................................................................................................................................................................................................................................

                                          C:\Windows\System32\vcamp120.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):481952
                                          Entropy (8bit):5.988099327257469
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:7FA53D11D558D61228A8E0C4D9F71B00
                                          SHA1:BE78D57D1D5899A3AA77C95F6F9EAA638C3F7DB0
                                          SHA-256:096A72B8ACED30F604B0DFF52BE3DD1C7354C0D6A528E3060E9F62696FCD843E
                                          SHA-512:C6616A768B8C18998DFA722D8F0D7FBC6E51CD1BB74B3360343A6A06762A9D6D38DEBF241950FA3ACACF9C5681F7E510B62D346E052C2F3B211DAACF2EDF9DE6
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~..\:i..:i..:i..7;#.>i....9.;i..7;!.;i..7;..7i..7;..=i...5.1i..:i...i..7;..0i..7;".;i..7;%.;i..:ii.;i..7; .;i..Rich:i..........................PE..d.....&Y.........." .........B.......A.......................................P............`.........................................0;..$8..Ts..........@$.......:.......>...@......................................@...p............................................text............................... ..`.rdata..............................@..@.data...H=.......8...z..............@....pdata...:.......<..................@..@.rsrc...@$.......&..................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                          C:\Windows\System32\vcamp140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):408656
                                          Entropy (8bit):6.395785800442683
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:406A784AAA43DC068BA5945119109012
                                          SHA1:85BAC30E041B6D85C0D7BA89FC8C05C69D264F88
                                          SHA-256:192E80290753E5A79C56367700A09181321C0984515F4C35E7EA8A0F245877BF
                                          SHA-512:56C4BA950BAFBB6F818BFF9E70EFE59546912A2B4F331C134C9D98B65C165A4251E7C6D60A58DDE9432E618EA9DEF07C57482AEA460B877C826BA5304E7248E4
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.e....W...W...W...W...W.D.V...W.D.V...W.D.V...W.D.V...WQ..V...W...W...W.D.V...W.D.V...W.D.W...W..W...W.D.V...WRich...W........................PE..d................." ...*.....F.......H.......................................0......&"....`A............................................,8...T..T........%.......5......PP... ..P....)..p....................*..(....(..@............................................text............................... ..`.rdata..j...........................@..@.data....4...p.......Z..............@....pdata...5.......6..................@..@.rsrc....%.......&..................@..@.reloc..P.... ......................@..B................................................................................................................................................................................................................................

                                          C:\Windows\System32\vccorlib120.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):356528
                                          Entropy (8bit):5.9171117722289335
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:6D62E7D709CAAB4A459EDE82366853C0
                                          SHA1:D6DE1FAC72BA254538F2C754928CC35B3AB103AC
                                          SHA-256:5A357A9F10D55B70E50A04B0B6716263E678E877E0934F536CC82AA1C3072C25
                                          SHA-512:0D478FC2C9C5E7CB6A331A0E11156D85A8ECA2B99B1108DC145680F511051D83547FA56073B377212597B5B94B9A77E661178D2549A59AB251700733ED156CF3
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........]j.]j.]j.T.{.[j.P85.Yj.../.\j.P87._j.P8..Pj.P8..Uj..#.Zj.]j..j.P8..Lj.P84.\j.P83.\j.P86.\j.Rich]j.........PE..d.....&Y.........." .....n...........L....................................................`..............................................>...D.......P..........."...2...>...`......................................`...p............................................text....l.......n.................. ..`.rdata...............r..............@..@.data...x....`.......F..............@....pdata...".......$..................@..@minATL.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................

                                          C:\Windows\System32\vccorlib140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):351824
                                          Entropy (8bit):6.052949543661257
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:164561905F701BC680D654232BB5C4D1
                                          SHA1:ACEF59F34D1245169A671C32D69EB204DC5897D3
                                          SHA-256:8903B5D88968791D2A93648A54A1AC3D1C708C579A72311FFE194F6D66903043
                                          SHA-512:5237F7A722100167A0291B215F151F502AE615160E58D2130FB693289D3C87415EDBA3F0A96B11118117A574F58B50A348D21CE4A32987FABB5D9B4BBBC83887
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*.."n..qn..qn..qg..q~..q.%.ph..q.%.pj..q.%.pf..q.%.pu..q%.pi..qn..q...q.%.p...q.%.po..q.%nqo..qn..qo..q.%.po..qRichn..q........................PE..d...*............." ...*.....................................................P............`A.............................................>..4 ..,.... ...........!......PP...0......p...p...........................0...@............................................text...F........................... ..`.rdata..............................@..@.data........@.......$..............@....pdata...!......."..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                          C:\Windows\System32\vcomp120.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):137888
                                          Entropy (8bit):6.214673538212
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:72A89F606F0EFC608B36288BC32705A2
                                          SHA1:DC6371903ECE074D792B2AF264FBF2CC49B1CAE2
                                          SHA-256:7FD73132D9579EEBB2E6EE202BABC6A49B3744DE84C9B34FEDE0B3BE95EC98BB
                                          SHA-512:8B23C3B4830F261608776C44B2A5D31DB598B1BFB14BCEFD0DA1AB52159AF35E6DA54CB09DDA4A587E7157B10504B54D373A2497292AD5B2E40FFBC552668B57
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.....L...L...L.A.L...L.A.L...L.A#L...L?.7L...L...L...L.A.L...L.A L...L.A'L...L.A"L...LRich...L........................PE..d.....&Y.........." .................Z.......................................0.......Q....`.....................................................<........................>... ......P3..................................p............0...............................text............................... ..`.rdata...z...0...|... ..............@..@.data...,:..........................@....pdata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................

                                          C:\Windows\System32\vcomp140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):192104
                                          Entropy (8bit):6.460819297931624
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:17CF948597BEFC68706E3121BB0ACDE6
                                          SHA1:D7F13076A2FBDE1F88127118EBD9BAA9C782BC71
                                          SHA-256:036B9B3F7ECE8DFD48AECCD77113721C5305043AAA9C64D1E72812252727AA7C
                                          SHA-512:28475DA6F70C355EC113CD41B2DB3CA0676B3F87495BEBFD76D916047D08B9F27DA7B7EC6F3EB9862BE1947DE163F68B96D12C6864EBD0036B997096728A8003
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........l.l.?.l.?.l.?...>.l.?...>.l.?...>.l.?..>.l.?..>.l.?...>.l.?.l.?.l.?..>.l.?..>.l.?..>.l.?..k?.l.?.l.?.l.?..>.l.?Rich.l.?........PE..d...&............." ...*..... .......g...............................................J....`A.........................................`......Hn..(.......................hP......4....C..p............................A..@............................................text.............................. ..`.rdata..............................@..@.data...d%...........`..............@....pdata...............l..............@..@.rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................

                                          C:\Windows\System32\vcruntime140.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):120432
                                          Entropy (8bit):6.602841735473839
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:943FC74C2E39FE803D828CCFA7E62409
                                          SHA1:4E55D591111316027AE4402DFDFCF8815D541727
                                          SHA-256:DA72E6677BD1BCD01C453C1998AAA19AEAF6659F4774CF6848409DA8232A95B2
                                          SHA-512:96E9F32E89AEE6FAEA6E5A3EDC411F467F13B35EE42DD6F071723DAEBA57F611DBD4FF2735BE26BB94223B5EC4EE1DFFEDF8DC744B936C32A27D17B471E37DCF
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w..E3f..3f..3f..x...1f..:.].8f..3f...f..3f..2f.."...#f.."...,f.."...&f.."...2f..".1.2f.."...2f..Rich3f..................PE..d....<............" ...*.$...d......................................................k.....`A........................................0u..4...d}..........................pP...........^..p............................\..@............@...............................text............................... ..`fothk........0...................... ..`.rdata...C...@...D...(..............@..@.data................l..............@....pdata...............p..............@..@_RDATA...............|..............@..@.rsrc................~..............@..@.reloc..............................@..B........................................................................................................................................................................

                                          C:\Windows\System32\vcruntime140_1.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):49744
                                          Entropy (8bit):6.702924040492291
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:05052BE2C36166FF9646D7D00BB7413F
                                          SHA1:D8D7C4B322D76E3A7B591024C62F15934979FE40
                                          SHA-256:26E470B29BED3D873E0C328186E53F95E9EDBFE0B0FD0CDA44743A0B1A04A828
                                          SHA-512:0460CC66D06DF9A2941607473F3ECCFD909F2ADAB53A3328FADCEDD1B194B388ECA738C2C6C2E193DE33606925FBED1FE39EFA160015128E93F5E3A03C62170D
                                          Malicious:true
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............\..\..\...]..\...]..\..O\..\..\...\...]..\...]..\...]..\...]..\..#\..\...]..\Rich..\........PE..d...=............." ...*.<...8.......@..............................................U0....`A........................................pm.......m..x....................r..PP......D....c..p...........................`b..@............P..`............................text....;.......<.................. ..`.rdata.."#...P...$...@..............@..@.data................d..............@....pdata...............f..............@..@.rsrc................l..............@..@.reloc..D............p..............@..B................................................................................................................................................................................................................................................................

                                          C:\Windows\System32\vcruntime140_threads.dll

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                          Category:dropped
                                          Size (bytes):38504
                                          Entropy (8bit):6.805311319192725
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:997C522F929B39D93B1D179BC94B0486
                                          SHA1:28EF3ADEE6A2DFD5D4B62B46FF6811EB47F7D510
                                          SHA-256:326110C8C5CAC836CFED1643304CB6BDC4A8737A7A535D6B1EFF4D63878AEF9D
                                          SHA-512:6BC4360321EC13D8C7CD9D17FBAD628874D45DD9F02BEBAEBDCD9BB4C7074C4B864DD65BC4EDA756F988B38ECA6217CE3AB3D5A697202DB8D5D5C1E3BB96A25D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.N... E.. E.. E[.!D.. E..!D.. E..E.. E..!EP. E..#D.. E..$D.. E..%D.. E.. D.. E...E.. E.."D.. ERich.. E................PE..d................." ...*. ...(......@#....................................................`A.........................................;......$>..x....p.......`..$....F..hP......0....4..p...........................p3..@............0...............................text............ .................. ..`.rdata..X....0.......$..............@..@.data........P.......:..............@....pdata..$....`.......<..............@..@.rsrc........p.......@..............@..@.reloc..0............D..............@..B........................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe

                                          Download File
                                          Process:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):686136
                                          Entropy (8bit):7.251009602832873
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3F32F1A9BD60AE065B89C2223676592E
                                          SHA1:9D386D394DB87F1EE41252CAC863C80F1C8D6B8B
                                          SHA-256:270FA05033B8B9455BD0D38924B1F1F3E4D3E32565DA263209D1F9698EFFBC05
                                          SHA-512:BDDFEAB33A03B0F37CFF9008815E2900CC96BDDAF763007E5F7FDFFD80E56719B81341029431BD9D25C8E74123C1D9CDA0F2AEFAFDC4937095D595093DB823DF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@..................................(....@............................................T;...........O...(...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...T;.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1028\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):18415
                                          Entropy (8bit):4.043868285184243
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:2B063D92663595DFE4781AE687A03D86
                                          SHA1:0FB582E756DBC751EA380593AC4DA27DDB4EBB06
                                          SHA-256:44C76290F7A2E45940E8338912FEB49BCF4E071CFA85D2D34762857743ACBC8D
                                          SHA-512:94C8FDA6173C7F5740F206190EDCD1F1F1C309596B710D400E23CD363A619D707A5D4576D4FE63AB7CB68947F009EFD29A1FBE04743A294698BF2AE17E92C214
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 \f1\'88\'cc\'d0\'d0\'eb\'41\'b6\'ce\f0 \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fc\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a1\'a3\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1028\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2980
                                          Entropy (8bit):6.163758160900388
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
                                          SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
                                          SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
                                          SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1029\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13234
                                          Entropy (8bit):5.125368352290407
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:E7DC9CA9474A13FA4529D91BCD2AB8CC
                                          SHA1:511F5DE8A99C09EC3766C5E2494A79EACCA261C8
                                          SHA-256:503C433DCDE2F3A9E7D388A5FF2B0612E7D8F90F5188D5B2B60228DB33044FDE
                                          SHA-512:77108E53CD58E42F847D8EF23A07723C4849DC41DBE1C3EF939B9170E75F525BEC9D210D6C1FBFEB330ECE2E77B8A8E2808730D9E6F72F5B3FE626D58B6068C6
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z jej\f0\'edch afilac\'ed, v\~z\'e1vislosti na tom, kde bydl\'edte) a v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1029\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3333
                                          Entropy (8bit):5.370651462060085
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:16343005D29EC431891B02F048C7F581
                                          SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
                                          SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
                                          SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1031\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):12392
                                          Entropy (8bit):5.192979871787938
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:2DDCA2866D76C850F68ACDFDB696D6DE
                                          SHA1:C5076F10B0F0654CDE2C990DEEB2772F3CC4844B
                                          SHA-256:28F63BAD9C2960395106011761993049546607F8A850D344D6A54042176BF03F
                                          SHA-512:E3A3693B92873E0B42007616FF6916304EDC5C4F2EEE3E9276F87E86DD94C2BF6E1CF4E895CDF9A1AA0CAC0B381B8840EEE1F491123E901DEE75638B8BC5CE1B
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil Tahoma;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBEDINGUNGEN\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Diese Lizenzbestimmungen stellen eine Vereinbarung zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem ihrer Affiliate-Partner) dar. Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b WENN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, VERF\'dcGEN SIE \'dcBER DIE NACHFOLGEND AUFGEF\'dcHRTEN RECHTE.\par....\pard{\pntext\f3\'B7\tab}{\*\pn\pnlvlblt\pnf3\pnindent360{\pntxtb\'B7}}\

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1031\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3379
                                          Entropy (8bit):5.094097800535488
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:561F3F32DB2453647D1992D4D932E872
                                          SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
                                          SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
                                          SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1036\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):12349
                                          Entropy (8bit):5.108676965693909
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A6E352E5804313CCDE3E4D5DDDDE122D
                                          SHA1:834E3AAA07DC675589A9E5FCD23CE5586C2739E8
                                          SHA-256:5C13A65870D770D1642A4259EECB436257CA39016A0500F747BE9C79BE0C7009
                                          SHA-512:6578AC6467F61930BC1B20E404441725C63790C65AEC1ACE297429EAD15F50E68D5FE9CC1451AC86AE23DC1A7FE967650166293010D687785FB81FB4492B87C4
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil\fcharset177 Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\ltrpar\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Les pr\'e9sentes conditions de licence constituent un contrat entre Microsoft Corporation (ou en fonction de votre lieu de r\'e9sidence, l\f1\rquote\f0 un de ses affili\'e9s) et vous. Ils s\f1\rquote\f0 appliquent au logiciel vis\'e9 ci-dessus. Les termes s\f1\rquote\f0 appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\f1\rquote\f0 autres termes n\f1\rquote\f0 accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT D

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1036\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3366
                                          Entropy (8bit):5.0912204406356905
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:7B46AE8698459830A0F9116BC27DE7DF
                                          SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
                                          SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
                                          SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1040\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):11440
                                          Entropy (8bit):5.037988271709582
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BC58AD6ABB16B982AEBADC121B37E706
                                          SHA1:25E3E4127A643DB5DB2A0B62B02DE871359FAE42
                                          SHA-256:70ECF23C03B66A2B18E173332586AFA8F00F91E02A80628F4F9CB2521E27F6AC
                                          SHA-512:8340452CB5E196CB1D5DA6DBB3FA8872E519D7903A05331055370B4850D912674F0B6AF3D6E4F94248FE8135EB378EB36969821D711FE1624A04AF13BBE55D70
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONDIZIONI DI LICENZA SOFTWARE MICROSOFT\par..RUNTIME MICROSOFT VISUAL C++ 2015 - 2022 \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario. Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, tranne se accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1040\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3319
                                          Entropy (8bit):5.019774955491369
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D90BC60FA15299925986A52861B8E5D5
                                          SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
                                          SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
                                          SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1041\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):30228
                                          Entropy (8bit):3.785116198512527
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:47C315C54B6F2078875119FA7A718499
                                          SHA1:F650DDB5DF2AF2EE7555C410D034B37B9DFD055B
                                          SHA-256:C3061A334BFD5F02B7085F8F454D5D3D97D477AF14BAB497BF31A7887BC90C5B
                                          SHA-512:A0E4B0FCCCFDD93BAF133C2080403E8719E4A6984237F751BD883C0D3C52D818EFD00F8BA7726A2F645F66286305599403470F14D39EEDC526DDE59228A5F261
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS PGothic;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\f1 \f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\f1 \f0\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\f1\par..MICROSOFT VISUAL C++ 2015 - 2022 \f0\'83\'89\'83\'93\'83\'5e\'83\'43\'83\'80\f1\par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation\f2\'a3\'a8\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'bd\'8a\'d6\'98\'41\'89\'ef\'8e\'d0\f2\'a3\'a9\f0\'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\f2\'a1\'a3\'b

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1041\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3959
                                          Entropy (8bit):5.955167044943003
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
                                          SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
                                          SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
                                          SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1042\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):28393
                                          Entropy (8bit):3.874126830110936
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:641D926354F001034CF3F2F3B0FF33DC
                                          SHA1:5505107FFF6CF279769A82510276F61EA18637AE
                                          SHA-256:3D4E9C165CBEAB829D608106F0E96450F839FFA8ADBD755F0B51867E89DA2AE0
                                          SHA-512:B0339664434B096ABC26D600F7657919EF3689B4E0FDFD4EDD8E479859A51EF51BE8F05FA43E25567FFD6C1C2BCC6EF0D7A857B6D666D264C7783BAD3A383D0E
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 \f1\'b7\'b1\'c5\'b8\'c0\'d3\f0 \par..\b0\f1\'ba\'bb\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1042\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3249
                                          Entropy (8bit):5.985100495461761
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:B3399648C2F30930487F20B50378CEC1
                                          SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
                                          SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
                                          SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1045\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13352
                                          Entropy (8bit):5.359561719031494
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F140FD8CA2C63A861D04310257C1B1DB
                                          SHA1:7BF7EF763A1F80ECACA692908F8F0790A88C3CA1
                                          SHA-256:6F94A99072061012C5626A6DD069809EC841D6E3102B48394D522A0C2E3AA2B5
                                          SHA-512:A0BD65AF13CC11E41E5021DF0399E5D21B340EF6C9BBE9B1B56A1766F609CEB031F550A7A0439264B10D67A76A6403E41ABA49B3C9E347CAEDFE9AF0C5BE1EE6
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA MICROSOFT\par..\f0 MICROSOFT VISUAL C++ \f1\'8cRODOWISKO URUCHOMIENIOWE 2015-2022 \par..\b0\f0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a Licencjobiorc\f1\'b9. Postanowienia te dotycz\'b9 oprogramowania okre\'9clonego powy\'bfej. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym tow

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1045\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3212
                                          Entropy (8bit):5.268378763359481
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:15172EAF5C2C2E2B008DE04A250A62A1
                                          SHA1:ED60F870C473EE87DF39D1584880D964796E6888
                                          SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
                                          SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1046\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):10956
                                          Entropy (8bit):5.086757849952268
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:9A8D2ACF07F3C01E5CBC461AB932D85B
                                          SHA1:8781A298DCC14C18C6F6DB58B64F50B2FC6E338E
                                          SHA-256:27891EEC899BE859E3B4D3B29247FC6B535D7E836DEF0329111C48741EC6E701
                                          SHA-512:A60262A0C18E3BEF7C6D52F242153EBE891F676ED639F2DACFEBBAC86E70EEBF58AA95A7FE1A16E15A553C1BD3ECACCD8677EB9D2761CB79CB9A342C9B4252E2
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..TEMPO DE EXECU\'c7\'c3O DO MICROSOFT VISUAL C++ 2015 - 2022 \par..\b0 Os presentes termos de licen\'e7a constituem um contrato firmado entre a Microsoft Corporation (ou, dependendo do local no qual voc\'ea esteja domiciliado, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pn

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1046\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3095
                                          Entropy (8bit):5.150868216959352
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BE27B98E086D2B8068B16DBF43E18D50
                                          SHA1:6FAF34A36C8D9DE55650D0466563852552927603
                                          SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
                                          SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1049\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):31981
                                          Entropy (8bit):3.6408688850128446
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:62229BE4447C349DF353C5D56372D64B
                                          SHA1:989799ED24913A0E6AE2546EE2A9A8D556E1CB3B
                                          SHA-256:1BB3FB55B8A13FA3BAFFFE72F5B1ED8B57A63BD4D8654BB6DC5B9011CE803B44
                                          SHA-512:FA366328C3FD4F683FDB1C5A64F5D554DE79620331086E8B4CCC2BFC2595B1FDED02CEC8AA982FCD8B13CC175D222AF2D7E2CD1A33B52F36AFD692B533FDBF13
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset0 Tahoma;}{\f3\fnil\fcharset204 Garamond;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\'d1\'d0\'c5\'c4\'c0 \'c2\'db\'cf\'ce\'cb\'cd\'c5\'cd\'c8\'df MICROSOFT VISUAL C++ 2015\f1\endash\f2 2022 \par..\b0\f0\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1049\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4150
                                          Entropy (8bit):5.444436038992627
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:17C652452E5EE930A7F1E5E312C17324
                                          SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
                                          SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
                                          SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1055\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13807
                                          Entropy (8bit):5.2077828423114045
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:9625F3A496DBF5E3E0D2F33D417EDBBF
                                          SHA1:119376730428812A31B70D58C873866D5307A775
                                          SHA-256:F80926604E503697247353F56856B31DE0B3FC1319F1C94068363952549CC9B1
                                          SHA-512:DB91A14FC27E3A62324E024DD44E3B5548AF7E1C021201C3D851BD2F32537885AACFC64ADAE619BAC31B60229D1D5FC653F5301CD7187C69BD0ACECCE817D6A3
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset238 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2015 - 2022 \'c7ALI\f1\'aaMA S\f0\'dcRESI \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan s\f0\'f6zle\f1\'bameyi olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\pa

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\1055\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3221
                                          Entropy (8bit):5.280530692056262
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:DEFBEA001DC4EB66553630AC7CE47CCA
                                          SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
                                          SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
                                          SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\2052\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):18214
                                          Entropy (8bit):3.9837154113926356
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D083C7E300928A0C5AEA5ECBD1653836
                                          SHA1:08F4F1F9F7DFA593BE3977515635967CE7A99E7A
                                          SHA-256:A808B4933CE3B3E0893504DBEF43EBF90B8B567F94BD6481B6315ED9141E1B11
                                          SHA-512:8CB3FFAD879BABA36137B7A21B62D9D6C530693F5E16FBB975F3E7C20F1DB5A686F3A6EE406D69B018AA494E4CD185F71B369A378AE3289B8080105157E63FD0
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0\f1\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f0 Microsoft Corporation\f1\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f0 Microsoft \f1\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\2052\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2978
                                          Entropy (8bit):6.135205733555905
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3D1E15DEEACE801322E222969A574F17
                                          SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
                                          SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
                                          SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\3082\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):10825
                                          Entropy (8bit):5.1113252296046126
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:873A413D23F830D3E87DAB3B94153E08
                                          SHA1:24CFC24F22CEF89818718A86F55F27606EB42668
                                          SHA-256:ABC11BB2B04DFF6AFE2D4D4F40D95A7D62E5AF352928AF90DAA3DADE58DD59BD
                                          SHA-512:DC1ECCB5CC4D3047401E2BC31F5EB3E21C7881C02744A2E63C10D3C911D1158DCFAC023988E873C33DC381C989304FE1D3CB27ED99D7801285C4C378553CD821
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LICENCIA DEL SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Los t\'e9rminos de esta licencia son un contrato entre Microsoft Corporation (o, en funci\'f3n de donde viva, una de las sociedades del grupo) y usted. Se aplican al software mencionado anteriormente. Los t\'e9rminos tambi\'e9n se aplican a los servicios o actualizaciones de software de Microsoft, excepto en la medida en que sus t\'e9rminos sean diferentes.\par..\b SI USTED CUMPLE LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE A CONTINUACI\'d3N SE DESCRIBEN.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb1

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\3082\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3265
                                          Entropy (8bit):5.0491645049584655
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:47F9F8D342C9C22D0C9636BC7362FA8F
                                          SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
                                          SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
                                          SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\BootstrapperApplicationData.xml

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (633), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):15190
                                          Entropy (8bit):3.738616200218003
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:2EE103493F085F0F7C635A430F36E0A0
                                          SHA1:6148F7B7DF3EDD7FF9E5D2C4B92B93E91223919A
                                          SHA-256:A884D7460C9E2814382B11B67A63B920E01E711BC7ED61C2D4F2A6AB8FCCA389
                                          SHA-512:4F870368DE31FBF2026A9390445D093F6A098DF510C6E409564B4AA32E836A41DE4304787824A3B3EFA9A56B05CAC2BF3BB49E3CA8B8BE3D1B1EBFF1B647A29A
                                          Malicious:false
                                          Reputation:low
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...1.". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .7. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.2.2. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...4.2...3.4.4.3.3.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".y.e.s.". .I.d.=.".{.8.0.4.e.7.d.6.6.-.c.c.c.2.-.4.c.1.2.-.8.4.b.a.-.4.7.6.d.a.3.1.d.1.0.3.d.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.C.1.4.6.E.

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\license.rtf

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):9235
                                          Entropy (8bit):5.167332119309966
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04B33F0A9081C10E85D0E495A1294F83
                                          SHA1:1EFE2FB2D014A731B752672745F9FFECDD716412
                                          SHA-256:8099DC3CF9502C335DA829E5C755948A12E3E6DE490EB492A99DEB673D883D8B
                                          SHA-512:D1DBED00DF921169DD61501E2A3E95E6D7807348B188BE9DD8FC63423501E4D848ECE19AC466C3CACFCCC6084E0EB2F457DC957990F6F511DF10FD426E432685
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\f

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\logo.png

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                                          Category:dropped
                                          Size (bytes):1861
                                          Entropy (8bit):6.868587546770907
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D6BD210F227442B3362493D046CEA233
                                          SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                                          SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                                          SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                                          Malicious:false
                                          Reputation:low
                                          Preview:.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\thm.wxl

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2952
                                          Entropy (8bit):5.052095286906672
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FBFCBC4DACC566A3C426F43CE10907B6
                                          SHA1:63C45F9A771161740E100FAF710F30EED017D723
                                          SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                                          SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\thm.xml

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8332
                                          Entropy (8bit):5.184632608060528
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F62729C6D2540015E072514226C121C7
                                          SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
                                          SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
                                          SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.ba\wixstdba.dll

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):220512
                                          Entropy (8bit):6.754483649907534
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F68F43F809840328F4E993A54B0D5E62
                                          SHA1:01DA48CE6C81DF4835B4C2ECA7E1D447BE893D39
                                          SHA-256:E921F69B9FB4B5AD4691809D06896C5F1D655AB75E0CE94A372319C243C56D4E
                                          SHA-512:A7A799ECF1784FB5E8CD7191BF78B510FF5B07DB07363388D7B32ED21F4FDDC09E34D1160113395F728C0F4E57D13768A0350DBDB207D9224337D2153DC791E1
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........N............e......e..............................e......e......e..............*.......*.......*.d.............*.......Rich............PE..L......e...........!.........................0...............................@............@.............................................................`W... ..x.......T...........................8...@............0..X............................text............................... ..`.rdata.......0....... ..............@..@.data...............................@....rsrc...............................@..@.reloc..x.... ......................@..B........................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):686136
                                          Entropy (8bit):7.251009602832873
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3F32F1A9BD60AE065B89C2223676592E
                                          SHA1:9D386D394DB87F1EE41252CAC863C80F1C8D6B8B
                                          SHA-256:270FA05033B8B9455BD0D38924B1F1F3E4D3E32565DA263209D1F9698EFFBC05
                                          SHA-512:BDDFEAB33A03B0F37CFF9008815E2900CC96BDDAF763007E5F7FDFFD80E56719B81341029431BD9D25C8E74123C1D9CDA0F2AEFAFDC4937095D595093DB823DF
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]aN.<...<...<...L...<...L..j<...T...<...T...<...T...<...L...<...L...<...L...<...<...=..PU...<..PU...<...<...<..PU...<..Rich.<..........................PE..L......e..........................................@..................................(....@............................................T;...........O...(...P...>.....T...................4........F..@...................T........................text...>........................... ..`.rdata..&...........................@..@.data...<...........................@....wixburn8...........................@..@.rsrc...T;.......<..................@..@.reloc...>...P...@..................@..B........................................................................................................................................................................................................................................

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Microsoft Cabinet archive data, many, 5691140 bytes, 14 files, at 0x44 +A "mfc140.dll_amd64" +A "mfc140chs.dll_amd64", flags 0x4, number 1, extra bytes 20 in head, 371 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):5701492
                                          Entropy (8bit):7.997611715541784
                                          Encrypted:true
                                          SSDEEP:
                                          MD5:5866203168B27F18C1B47ABFA6823E02
                                          SHA1:3B696BE0A4CF750965D74263E43B8E302CB1B318
                                          SHA-256:7D48E0905EBEA9B14A07CFF687705DFDC50D795CD4C32E5ED87A0E344884B430
                                          SHA-512:037F793F60BE84F1DA005D47E21783E719A85B5C12C4D20050AD9D3254AC99BA8EB30B4B1378BAC69379DBC659427DC1AE4A19062ECD337D47D480D047AFB669
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF......V.....D.............................V.p(..........4...s...P.U.......]Y.- .mfc140.dll_amd64.h...P.U...]Y.- .mfc140chs.dll_amd64.P.....V...]Y.- .mfc140cht.dll_amd64.h8...]W...]Y.- .mfc140deu.dll_amd64.p...p.X...]Y.- .mfc140enu.dll_amd64.h4...Y...]Y.- .mfc140esn.dll_amd64.h8..H.Z...]Y.- .mfc140fra.dll_amd64.p0....\...]Y.- .mfc140ita.dll_amd64.P... E]...]Y.- .mfc140jpn.dll_amd64.h...p+^...]Y.- .mfc140kor.dll_amd64.P(...._...]Y.- .mfc140rus.dll_amd64.PVV.(8`...]Y.- .mfc140u.dll_amd64..x..x.....]Y.- .mfcm140.dll_amd64..x........]Y.- .mfcm140u.dll_amd64.'..|.6..CK.:{|Se._.M[..4XD....)..........-R..V^....,..@iK...g.]........Y.....-.i+o..D.-7.G..)(w.9_nnn.......{.w.w^.y}.....Y,c,.~d......_...c,..T.#.H...#}'..4cq...J.d..,\.....2..y.3.c..X.h...$s...V.d....)?.G.e...B.y1s.<W.q.{../.^.\N..+..5s&..d;._"..rofJ;.y%.I.w.......2....E...X<..Y.M`.o..W..X....'X[...h..qxO..j....1...#..'w.$rv..I...6e.......Yg...)`.Q@.p6..M x..6......a./.X.".K.;.-.{.g.fV].. ...Xz.3l...<.1....

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\cab5046A8AB272BF37297BB7928664C9503

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Microsoft Cabinet archive data, many, 982083 bytes, 12 files, at 0x44 +A "concrt140.dll_amd64" +A "msvcp140.dll_amd64", flags 0x4, number 1, extra bytes 20 in head, 75 datablocks, 0x1 compression
                                          Category:dropped
                                          Size (bytes):992435
                                          Entropy (8bit):7.996227359354833
                                          Encrypted:true
                                          SSDEEP:
                                          MD5:8C302E40FBF614896BA36A75F3F8977E
                                          SHA1:991AF1495F7783173D0C5691BE38FF8648F2DF12
                                          SHA-256:B384B812DC59C2081CEE080EA6BBA748E02ECF3C0800D8DCAF9607A20A4F3290
                                          SHA-512:53B1D7D8AB495931F50B5D815AFE04D52F9E0BBAFA0A5F3E4F6605B6E4F2A85C583ABF9014DEC41481439827BB6BAB23AC439D4FD7D0C3F191F21B2BF5AFB11D
                                          Malicious:false
                                          Reputation:low
                                          Preview:MSCF....C.......D...........................C...p(..............K...P.........]Y.- .concrt140.dll_amd64.h...P.....]Y.- .msvcp140.dll_amd64.h.........]Y.- .msvcp140_1.dll_amd64.h... A....]Y.- .msvcp140_2.dll_amd64.P....W....]Y.- .msvcp140_atomic_wait.dll_amd64.P|........]Y.- .msvcp140_codecvt_ids.dll_amd64.P<..(.....]Y.- .vcamp140.dll_amd64.P^..x.....]Y.- .vccorlib140.dll_amd64.h....2....]Y.- .vcomp140.dll_amd64.p...0!"...]Y.- .vcruntime140.dll_amd64.P.....#...]Y.- .vcruntime140_1.dll_amd64.h....$...]Y.- .vcruntime140_threads.dll_amd64...r.:3..CK.[}\Te..3..H*cI.n.kT,.hY...A ...L-JML.5%......N.Y...~YXV.m..V.X...(o...R.u.[I..B/..<.sg.......7.f..s...s.9.y..>.^...A._.K....1.].Z.....}..j..kRj.N.7?..d..%3.6..h.b...9.%9.L.....&..^<{Nt.>...G.7.7...|...*8o<l.Wm.....V...k..u.X..B.Ayf...i.6$.B.7..VO...?k..U0.'........W..c..&m.{.:. 4h.9c....n.=..p*.6....O....1z.cf.B.l..... .w*......x.Nh......=...tBz:l.:!.......:...A.Y.:..bt........l...u..o....%.gZg.B%.P..x.6j.e._4.&l..?(........b...

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\vcRuntimeAdditional_x64

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Additional Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Additional Runtime - 14.42.34433., Template: x64;1033, Revision Number: {E04E511C-7D1F-4263-AB6A-F816392FD4D7}, Create Time/Date: Tue Oct 29 06:55:02 2024, Last Saved Time/Date: Tue Oct 29 06:55:02 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.372377887079137
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:351D8E8C804F6C6AAB4C718977B1817D
                                          SHA1:1B680E5E2ED548E5636F9D656C49C87CF9A70DA8
                                          SHA-256:CF584E5132EF3766A088F824BD038494713A7168CDDDD44E3F8C4AD581E2206E
                                          SHA-512:D0613C6B1A72C73013C0519619C557811A1D20FCDDC8361D391A31FC4AA9C70173B907957BABB049067111427A81E48A82E5467A15DAE8BEBB55B048993C93A4
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\vcRuntimeMinimum_x64

                                          Download File
                                          Process:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Visual C++ 2022 X64 Minimum Runtime, Author: Microsoft Corporation, Keywords: Installer, Comments: This installer database contains the logic and data required to install Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433., Template: x64;1033, Revision Number: {A75B920C-55CD-4531-932F-CB4C539C41F8}, Create Time/Date: Tue Oct 29 06:50:14 2024, Last Saved Time/Date: Tue Oct 29 06:50:14 2024, Number of Pages: 301, Number of Words: 2, Name of Creating Application: Windows Installer XML Toolset (3.14.1.8722), Security: 2
                                          Category:dropped
                                          Size (bytes):212992
                                          Entropy (8bit):6.367262947705725
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:09042BA0AF85F4873A68326AB0E704AF
                                          SHA1:F08C8F9CB63F89A88F5915E6A889B170CE98F515
                                          SHA-256:47CCEB26DD7B78F0D3D09FDDC419290907FE818979884B2192C834034180E83B
                                          SHA-512:1C9552A8BF478F9EDDE8ED67A8F40584A757C66AAF297609B4F577283469287992C1F84EBE15DF4DF05B0135E4D67C958A912738F4814440F6FD77804A2CFA7D
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1028\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):18415
                                          Entropy (8bit):4.043868285184243
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:2B063D92663595DFE4781AE687A03D86
                                          SHA1:0FB582E756DBC751EA380593AC4DA27DDB4EBB06
                                          SHA-256:44C76290F7A2E45940E8338912FEB49BCF4E071CFA85D2D34762857743ACBC8D
                                          SHA-512:94C8FDA6173C7F5740F206190EDCD1F1F1C309596B710D400E23CD363A619D707A5D4576D4FE63AB7CB68947F009EFD29A1FBE04743A294698BF2AE17E92C214
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'dc\'9b\'f3\'77\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 \f1\'88\'cc\'d0\'d0\'eb\'41\'b6\'ce\f0 \par..\b0\f1\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'ca\'c7\'d9\'46\'d3\'c3\'91\'f4\'c5\'63\f0 Microsoft Corporation (\f1\'bb\'f2\'c6\'e4\'ea\'50\'82\'53\'c6\'f3\'98\'49\'a3\'ac\'d2\'95\'d9\'46\'d3\'c3\'91\'f4\'cb\'f9\'be\'d3\'d7\'a1\'b5\'c4\'b5\'d8\'fc\'63\'b6\'f8\'b6\'a8\f0 ) \f1\'d6\'ae\'e9\'67\'b3\'c9\'c1\'a2\'b5\'c4\'ba\'cf\'bc\'73\'a1\'a3\'cb\'fc\'82\'83\'df\'6d\'d3\'c3\'ec\'b6\'c9\'cf\'ca\'f6\'dc\'9b\'f3\'77\'a1\'a3\'b1\'be\'ca\'da\'99\'e0\'97\'6c\'bf\'ee\'d2\'e0\'df\'6d\'d3\'c3\'ec\'b6\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'84\'d5\

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1028\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2980
                                          Entropy (8bit):6.163758160900388
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:472ABBEDCBAD24DBA5B5F5E8D02C340F
                                          SHA1:974F62B5C2E149C3879DD16E5A9DBB9406C3DB85
                                          SHA-256:8E2E660DFB66CB453E17F1B6991799678B1C8B350A55F9EBE2BA0028018A15AD
                                          SHA-512:676E29378AAED25DE6008D213EFA10D1F5AAD107833E218D71F697E728B7B5B57DE42E7A910F121948D7B1B47AB4F7AE63F71196C747E8AE2B4827F754FC2699
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">....</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ................. ......................../passive | /quiet - .... UI ........... UI.... ........... UI ........../norestart - ................UI ............./log log.txt - .........

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1029\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13234
                                          Entropy (8bit):5.125368352290407
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:E7DC9CA9474A13FA4529D91BCD2AB8CC
                                          SHA1:511F5DE8A99C09EC3766C5E2494A79EACCA261C8
                                          SHA-256:503C433DCDE2F3A9E7D388A5FF2B0612E7D8F90F5188D5B2B60228DB33044FDE
                                          SHA-512:77108E53CD58E42F847D8EF23A07723C4849DC41DBE1C3EF939B9170E75F525BEC9D210D6C1FBFEB330ECE2E77B8A8E2808730D9E6F72F5B3FE626D58B6068C6
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 LICEN\f1\'c8N\f0\'cd PODM\'cdNKY PRO SOFTWARE SPOLE\f1\'c8NOSTI MICROSOFT\par..\f0 MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Tyto licen\f1\'e8n\f0\'ed podm\'ednky p\f1\'f8edstavuj\f0\'ed smlouvu mezi spole\f1\'e8nost\f0\'ed Microsoft Corporation (nebo n\f1\'eckterou z jej\f0\'edch afilac\'ed, v\~z\'e1vislosti na tom, kde bydl\'edte) a v\'e1mi. Vztahuj\'ed se na v\'fd\f1\'9ae uveden\f0\'fd software. Podm\'ednky se rovn\f1\'ec\'9e vztahuj\f0\'ed na jak\'e9koli slu\f1\'9eby Microsoft nebo aktualizace pro software, pokud se na slu\'9eby nebo aktualizace nevztahuj\f0\'ed odli\f1\'9an\f0\'e9 podm\'ednky.\par..\b DODR\f1\'8e\f0\'cdTE-LI

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1029\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3333
                                          Entropy (8bit):5.370651462060085
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:16343005D29EC431891B02F048C7F581
                                          SHA1:85A14C40C482D9351271F6119D272D19407C3CE9
                                          SHA-256:07FB3EC174F25DFBE532D9D739234D9DFDA8E9D34F01FE660C5B4D56989FA779
                                          SHA-512:FF1AE9C21DCFB018DD4EC82A6D43362CB8C591E21F45DD1C25955D83D328B57C8D454BBE33FBC73A70DADF1DFB3AE27502C9B3A8A3FF2DA97085CA0D9A68AB03
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instala.n. program [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Opravdu chcete akci zru.it?</String>.. <String Id="HelpHeader">N.pov.da nastaven.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [adres..] . Nainstaluje, oprav., odinstaluje nebo.. vytvo.. .plnou m.stn. kopii svazku v adres..i. V.choz. mo.nost. je instalace...../passive | /quiet . Zobraz. minim.ln. u.ivatelsk. rozhran. bez v.zev nebo nezobraz. ..dn. u.ivatelsk. rozhran. a.. ..dn. v.zvy. V.choz. mo.nost. je zobrazen. u.ivatelsk.ho rozhran. a v.ech v.zev...../noresta

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1031\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):12392
                                          Entropy (8bit):5.192979871787938
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:2DDCA2866D76C850F68ACDFDB696D6DE
                                          SHA1:C5076F10B0F0654CDE2C990DEEB2772F3CC4844B
                                          SHA-256:28F63BAD9C2960395106011761993049546607F8A850D344D6A54042176BF03F
                                          SHA-512:E3A3693B92873E0B42007616FF6916304EDC5C4F2EEE3E9276F87E86DD94C2BF6E1CF4E895CDF9A1AA0CAC0B381B8840EEE1F491123E901DEE75638B8BC5CE1B
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil Tahoma;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT-SOFTWARE-LIZENZBEDINGUNGEN\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Diese Lizenzbestimmungen stellen eine Vereinbarung zwischen Ihnen und der Microsoft Corporation (bzw. abh\'e4ngig von Ihrem Wohnsitz einem ihrer Affiliate-Partner) dar. Sie gelten f\'fcr die oben angef\'fchrte Software. Die Bestimmungen gelten ebenso f\'fcr jegliche von Microsoft angebotenen Dienste oder Updates f\'fcr die Software, sofern diesen keine anderen Bestimmungen beiliegen.\par..\b WENN SIE DIESE LIZENZBESTIMMUNGEN EINHALTEN, VERF\'dcGEN SIE \'dcBER DIE NACHFOLGEND AUFGEF\'dcHRTEN RECHTE.\par....\pard{\pntext\f3\'B7\tab}{\*\pn\pnlvlblt\pnf3\pnindent360{\pntxtb\'B7}}\

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1031\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3379
                                          Entropy (8bit):5.094097800535488
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:561F3F32DB2453647D1992D4D932E872
                                          SHA1:109548642FB7C5CC0159BEDDBCF7752B12B264C0
                                          SHA-256:8E0DCA6E085744BFCBFF46F7DCBCFA6FBD722DFA52013EE8CEEAF682D7509581
                                          SHA-512:CEF8C80BEF8F88208E0751305DF519C3D2F1C84351A71098DC73392EC06CB61A4ACA35182A0822CF6934E8EE42196E2BCFE810CC859965A9F6F393858A1242DF
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] - Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">M.chten Sie den Vorgang wirklich abbrechen?</String>.. <String Id="HelpHeader">Setup-Hilfe</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [Verzeichnis] - installiert, repariert, deinstalliert oder.. erstellt eine vollst.ndige lokale Kopie des Bundles im Verzeichnis. Installieren ist die Standardeinstellung...../passive | /quiet - zeigt eine minimale Benutzeroberfl.che ohne Eingabeaufforderungen oder keine.. Benutzeroberfl.che und keine Eingabeaufforderungen an. Standardm..ig werden die Benutzeroberfl.che und alle Eingab

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1036\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):12349
                                          Entropy (8bit):5.108676965693909
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A6E352E5804313CCDE3E4D5DDDDE122D
                                          SHA1:834E3AAA07DC675589A9E5FCD23CE5586C2739E8
                                          SHA-256:5C13A65870D770D1642A4259EECB436257CA39016A0500F747BE9C79BE0C7009
                                          SHA-512:6578AC6467F61930BC1B20E404441725C63790C65AEC1ACE297429EAD15F50E68D5FE9CC1451AC86AE23DC1A7FE967650166293010D687785FB81FB4492B87C4
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\fbidis\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil\fcharset177 Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\ltrpar\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMES DU CONTRAT DE LICENCE LOGICIEL MICROSOFT\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Les pr\'e9sentes conditions de licence constituent un contrat entre Microsoft Corporation (ou en fonction de votre lieu de r\'e9sidence, l\f1\rquote\f0 un de ses affili\'e9s) et vous. Ils s\f1\rquote\f0 appliquent au logiciel vis\'e9 ci-dessus. Les termes s\f1\rquote\f0 appliquent \'e9galement \'e0 tout service et \'e0 toute mise \'e0 jour Microsoft pour ce logiciel, \'e0 moins que d\f1\rquote\f0 autres termes n\f1\rquote\f0 accompagnent ces \'e9l\'e9ments.\par..\b SI VOUS VOUS CONFORMEZ AUX PR\'c9SENTS TERMES DU CONTRAT D

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1036\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3366
                                          Entropy (8bit):5.0912204406356905
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:7B46AE8698459830A0F9116BC27DE7DF
                                          SHA1:D9BB14D483B88996A591392AE03E245CAE19C6C3
                                          SHA-256:704DDF2E60C1F292BE95C7C79EE48FE8BA8534CEB7CCF9A9EA68B1AD788AE9D4
                                          SHA-512:FC536DFADBCD81B42F611AC996059A6264E36ECF72A4AEE7D1E37B87AEFED290CC5251C09B68ED0C8719F655B163AD0782ACD8CE6332ED4AB4046C12D8E6DBF6
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installation de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Voulez-vous vraiment annuler.?</String>.. <String Id="HelpHeader">Aide du programme d'installation</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installe, r.pare, d.sinstalle ou.. cr.e une copie locale compl.te du groupe dans le r.pertoire. Install est l'option par d.faut...../passive | /quiet - affiche une interface minimale, sans invite, ou n'affiche ni interface.. ni invite. Par d.faut, l'interface et toutes les invites sont affich.es...../norestart - supprime toutes les tentatives de red.

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1040\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):11440
                                          Entropy (8bit):5.037988271709582
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BC58AD6ABB16B982AEBADC121B37E706
                                          SHA1:25E3E4127A643DB5DB2A0B62B02DE871359FAE42
                                          SHA-256:70ECF23C03B66A2B18E173332586AFA8F00F91E02A80628F4F9CB2521E27F6AC
                                          SHA-512:8340452CB5E196CB1D5DA6DBB3FA8872E519D7903A05331055370B4850D912674F0B6AF3D6E4F94248FE8135EB378EB36969821D711FE1624A04AF13BBE55D70
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 CONDIZIONI DI LICENZA SOFTWARE MICROSOFT\par..RUNTIME MICROSOFT VISUAL C++ 2015 - 2022 \par..\b0 Le presenti condizioni di licenza costituiscono il contratto tra Microsoft Corporation (o, in base al luogo di residenza del licenziatario, una delle sue consociate) e il licenziatario. Tali condizioni si applicano al software Microsoft di cui sopra. Le condizioni si applicano inoltre a qualsiasi servizio o aggiornamento di Microsoft relativo al software, tranne se accompagnato da condizioni differenti.\par..\b QUALORA IL LICENZIATARIO SI ATTENGA ALLE PRESENTI CONDIZIONI DI LICENZA, DISPORR\'c0 DEI DIRITTI INDICATI DI SEGUITO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1040\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3319
                                          Entropy (8bit):5.019774955491369
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D90BC60FA15299925986A52861B8E5D5
                                          SHA1:FADFCA9AB91B1AB4BD7F76132F712357BD6DB760
                                          SHA-256:0C57F40CC2091554307AA8A7C35DD38E4596E9513E9EFAE00AC30498EF4E9BC2
                                          SHA-512:11764D0E9F286B5AA7B1A9601170833E462A93A1E569A032FCBA9879174305582BD42794D4131B83FBCFBF1CF868A8D5382B11A4BD21F0F7D9B2E87E3C708C3F
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Installazione di [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Annullare?</String>.. <String Id="HelpHeader">Guida alla configurazione</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installa, ripara, disinstalla o.. crea una copia locale completa del bundle nella directory. L'opzione predefinita . Install...../passive | /quiet - visualizza un'interfaccia utente minima senza prompt oppure non visualizza alcuna interfaccia utente.. n. prompt. Per impostazione predefinita viene visualizzata l'intera interfaccia utente e tutti i prompt...../norestart - annulla quals

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1041\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):30228
                                          Entropy (8bit):3.785116198512527
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:47C315C54B6F2078875119FA7A718499
                                          SHA1:F650DDB5DF2AF2EE7555C410D034B37B9DFD055B
                                          SHA-256:C3061A334BFD5F02B7085F8F454D5D3D97D477AF14BAB497BF31A7887BC90C5B
                                          SHA-512:A0E4B0FCCCFDD93BAF133C2080403E8719E4A6984237F751BD883C0D3C52D818EFD00F8BA7726A2F645F66286305599403470F14D39EEDC526DDE59228A5F261
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset128 MS PGothic;}{\f1\fnil\fcharset0 Tahoma;}{\f2\fnil\fcharset134 SimSun;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9\'83\'7d\'83\'43\'83\'4e\'83\'8d\'83\'5c\'83\'74\'83\'67\f1 \f0\'83\'5c\'83\'74\'83\'67\'83\'45\'83\'46\'83\'41\f1 \f0\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\f1\par..MICROSOFT VISUAL C++ 2015 - 2022 \f0\'83\'89\'83\'93\'83\'5e\'83\'43\'83\'80\f1\par..\b0\f0\'96\'7b\'83\'89\'83\'43\'83\'5a\'83\'93\'83\'58\'8f\'f0\'8d\'80\'82\'cd\f2\'a1\'a2\f1 Microsoft Corporation\f2\'a3\'a8\f0\'82\'dc\'82\'bd\'82\'cd\'82\'a8\'8b\'71\'97\'6c\'82\'cc\'8f\'8a\'8d\'dd\'92\'6e\'82\'c9\'89\'9e\'82\'b6\'82\'bd\'8a\'d6\'98\'41\'89\'ef\'8e\'d0\f2\'a3\'a9\f0\'82\'c6\'82\'a8\'8b\'71\'97\'6c\'82\'c6\'82\'cc\'8c\'5f\'96\'f1\'82\'f0\'8d\'5c\'90\'ac\'82\'b5\'82\'dc\'82\'b7\f2\'a1\'a3\'b

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1041\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3959
                                          Entropy (8bit):5.955167044943003
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:DC81ED54FD28FC6DB6F139C8DA1BDED6
                                          SHA1:9C719C32844F78AAE523ADB8EE42A54D019C2B05
                                          SHA-256:6B9BBF90D75CFA7D943F036C01602945FE2FA786C6173E22ACB7AFE18375C7EA
                                          SHA-512:FD759C42C7740EE9B42EA910D66B0FA3F813600FD29D074BB592E5E12F5EC09DB6B529680E54F7943821CEFE84CE155A151B89A355D99C25A920BF8F254AA008
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.. <Control Control="UninstallButton" X="270" Y="237" Width="120" Height="23"/>.. <Control Control="RepairButton" X="187" Y="237" Width="80" Height="23"/>.. .. <String Id="Caption">[WixBundleName] .......</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">..........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ............ ......... .........................

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1042\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):28393
                                          Entropy (8bit):3.874126830110936
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:641D926354F001034CF3F2F3B0FF33DC
                                          SHA1:5505107FFF6CF279769A82510276F61EA18637AE
                                          SHA-256:3D4E9C165CBEAB829D608106F0E96450F839FFA8ADBD755F0B51867E89DA2AE0
                                          SHA-512:B0339664434B096ABC26D600F7657919EF3689B4E0FDFD4EDD8E479859A51EF51BE8F05FA43E25567FFD6C1C2BCC6EF0D7A857B6D666D264C7783BAD3A383D0E
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset129 Malgun Gothic;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT \f1\'bc\'d2\'c7\'c1\'c6\'ae\'bf\'fe\'be\'ee\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'b0\'e8\'be\'e0\'bc\'ad\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 \f1\'b7\'b1\'c5\'b8\'c0\'d3\f0 \par..\b0\f1\'ba\'bb\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'b0\'e8\'be\'e0\'c0\'ba\f0 Microsoft Corporation(\f1\'b6\'c7\'b4\'c2\f0 \f1\'b0\'c5\'c1\'d6\f0 \f1\'c1\'f6\'bf\'aa\'bf\'a1\f0 \f1\'b5\'fb\'b6\'f3\f0 \f1\'b0\'e8\'bf\'ad\'bb\'e7\f0 \f1\'c1\'df\f0 \f1\'c7\'cf\'b3\'aa\f0 )\f1\'b0\'fa\f0 \f1\'b1\'cd\'c7\'cf\f0 \f1\'b0\'a3\'bf\'a1\f0 \f1\'c3\'bc\'b0\'e1\'b5\'c7\'b4\'c2\f0 \f1\'b0\'e8\'be\'e0\'c0\'d4\'b4\'cf\'b4\'d9\f0 . \f1\'ba\'bb\f0 \f1\'b6\'f3\'c0\'cc\'bc\'b1\'bd\'ba\f0 \f1\'

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1042\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3249
                                          Entropy (8bit):5.985100495461761
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:B3399648C2F30930487F20B50378CEC1
                                          SHA1:CA7BDAB3BFEF89F6FA3C4AAF39A165D14069FC3D
                                          SHA-256:AD7608B87A7135F408ABF54A897A0F0920080F76013314B00D301D6264AE90B2
                                          SHA-512:C5B0ECF11F6DADF2E68BC3AA29CC8B24C0158DAE61FE488042D1105341773166C9EBABE43B2AF691AD4D4B458BF4A4BF9689C5722C536439CA3CDC84C0825965
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] .. ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">.. ...</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - ..... ... .. .. .... .., .., .. .... ...... ... .........../passive | /quiet - .... .. .. UI. ..... UI ... ..... .... ..... ..... UI. .. ..... ........../norestart - .. .... .. .... ...

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1045\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13352
                                          Entropy (8bit):5.359561719031494
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F140FD8CA2C63A861D04310257C1B1DB
                                          SHA1:7BF7EF763A1F80ECACA692908F8F0790A88C3CA1
                                          SHA-256:6F94A99072061012C5626A6DD069809EC841D6E3102B48394D522A0C2E3AA2B5
                                          SHA-512:A0BD65AF13CC11E41E5021DF0399E5D21B340EF6C9BBE9B1B56A1766F609CEB031F550A7A0439264B10D67A76A6403E41ABA49B3C9E347CAEDFE9AF0C5BE1EE6
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset0 Garamond;}{\f3\fnil Tahoma;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 POSTANOWIENIA LICENCYJNE DOTYCZ\f1\'a5CE OPROGRAMOWANIA MICROSOFT\par..\f0 MICROSOFT VISUAL C++ \f1\'8cRODOWISKO URUCHOMIENIOWE 2015-2022 \par..\b0\f0 Niniejsze postanowienia licencyjne stanowi\f1\'b9 umow\'ea mi\'eadzy Microsoft Corporation (lub, w zale\'bfno\'9cci od miejsca zamieszkania Licencjobiorcy, jednym z podmiot\f0\'f3w stowarzyszonych Microsoft Corporation) a Licencjobiorc\f1\'b9. Postanowienia te dotycz\'b9 oprogramowania okre\'9clonego powy\'bfej. Niniejsze postanowienia maj\'b9 r\f0\'f3wnie\f1\'bf zastosowanie do wszelkich us\'b3ug i aktualizacji Microsoft dla niniejszego oprogramowania, z wyj\'b9tkiem tych, kt\f0\'f3rym tow

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1045\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3212
                                          Entropy (8bit):5.268378763359481
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:15172EAF5C2C2E2B008DE04A250A62A1
                                          SHA1:ED60F870C473EE87DF39D1584880D964796E6888
                                          SHA-256:440B309FCDF61FFC03B269FE3815C60CB52C6AE3FC6ACAD14EAC04D057B6D6EA
                                          SHA-512:48AA89CF4A0B64FF4DCB82E372A01DFF423C12111D35A4D27B6D8DD793FFDE130E0037AB5E4477818A0939F61F7DB25295E4271B8B03F209D8F498169B1F9BAE
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalator [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Czy na pewno chcesz anulowa.?</String>.. <String Id="HelpHeader">Instalator . Pomoc</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [katalog] - Instaluje, naprawia, odinstalowuje.. lub tworzy pe.n. lokaln. kopi. pakietu w katalogu. Domy.lnie jest u.ywany prze..cznik install...../passive | /quiet - Wy.wietla ograniczony interfejs u.ytkownika bez monit.w albo nie wy.wietla ani interfejsu u.ytkownika,.. ani monit.w. Domy.lnie jest wy.wietlany interfejs u.ytkownika oraz wszystkie monity...../norestart - Pom

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1046\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):10956
                                          Entropy (8bit):5.086757849952268
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:9A8D2ACF07F3C01E5CBC461AB932D85B
                                          SHA1:8781A298DCC14C18C6F6DB58B64F50B2FC6E338E
                                          SHA-256:27891EEC899BE859E3B4D3B29247FC6B535D7E836DEF0329111C48741EC6E701
                                          SHA-512:A60262A0C18E3BEF7C6D52F242153EBE891F676ED639F2DACFEBBAC86E70EEBF58AA95A7FE1A16E15A553C1BD3ECACCD8677EB9D2761CB79CB9A342C9B4252E2
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 TERMOS DE LICEN\'c7A PARA SOFTWARE MICROSOFT\par..TEMPO DE EXECU\'c7\'c3O DO MICROSOFT VISUAL C++ 2015 - 2022 \par..\b0 Os presentes termos de licen\'e7a constituem um contrato firmado entre a Microsoft Corporation (ou, dependendo do local no qual voc\'ea esteja domiciliado, uma de suas afiliadas) e voc\'ea. Eles se aplicam ao software indicado acima. Os termos tamb\'e9m se aplicam a quaisquer servi\'e7os ou atualiza\'e7\'f5es da Microsoft para o software, exceto at\'e9 a extens\'e3o de que eles tenham termos diferentes.\par..\b SE VOC\'ca CONCORDAR COM ESTES TERMOS DE LICEN\'c7A, TER\'c1 OS DIREITOS INDICADOS ABAIXO.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pn

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1046\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3095
                                          Entropy (8bit):5.150868216959352
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BE27B98E086D2B8068B16DBF43E18D50
                                          SHA1:6FAF34A36C8D9DE55650D0466563852552927603
                                          SHA-256:F52B54A0E0D0E8F12CBA9823D88E9FD6822B669074DD1DC69DAD6553F7CB8913
                                          SHA-512:3B7C773EF72D40A8B123FDB8FC11C4F354A3B152CF6D247F02E494B0770C28483392C76F3C222E3719CF500FE98F535014192ACDDD2ED9EF971718EA3EC0A73E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Instala..o</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Tem certeza de que deseja cancelar?</String>.. <String Id="HelpHeader">Ajuda da Instala..o</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [diret.rio - instala, repara, desinstala ou.. cria uma c.pia local completa do pacote no diret.rio. Install . o padr.o..../passive | /quiet - exibe a IU m.nima sem nenhum prompt ou n.o exibe nenhuma IU e.. nenhum prompt. Por padr.o, a IU e todos os prompts s.o exibidos...../norestart - suprime qualquer tentativa de reiniciar. Por padr.o, a IU perguntar. antes de reiniciar

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1049\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):31981
                                          Entropy (8bit):3.6408688850128446
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:62229BE4447C349DF353C5D56372D64B
                                          SHA1:989799ED24913A0E6AE2546EE2A9A8D556E1CB3B
                                          SHA-256:1BB3FB55B8A13FA3BAFFFE72F5B1ED8B57A63BD4D8654BB6DC5B9011CE803B44
                                          SHA-512:FA366328C3FD4F683FDB1C5A64F5D554DE79620331086E8B4CCC2BFC2595B1FDED02CEC8AA982FCD8B13CC175D222AF2D7E2CD1A33B52F36AFD692B533FDBF13
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset204 Tahoma;}{\f1\fnil Tahoma;}{\f2\fnil\fcharset0 Tahoma;}{\f3\fnil\fcharset204 Garamond;}{\f4\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang1049\'d3\'d1\'cb\'ce\'c2\'c8\'df \'cb\'c8\'d6\'c5\'cd\'c7\'c8\'c8 \'cd\'c0 \'cf\'d0\'ce\'c3\'d0\'c0\'cc\'cc\'cd\'ce\'c5 \'ce\'c1\'c5\'d1\'cf\'c5\'d7\'c5\'cd\'c8\'c5 MICROSOFT\par..\'d1\'d0\'c5\'c4\'c0 \'c2\'db\'cf\'ce\'cb\'cd\'c5\'cd\'c8\'df MICROSOFT VISUAL C++ 2015\f1\endash\f2 2022 \par..\b0\f0\'cd\'e0\'f1\'f2\'ee\'ff\'f9\'e8\'e5 \'f3\'f1\'eb\'ee\'e2\'e8\'ff \'eb\'e8\'f6\'e5\'ed\'e7\'e8\'e8 \'ff\'e2\'eb\'ff\'fe\'f2\'f1\'ff \'f1\'ee\'e3\'eb\'e0\'f8\'e5\'ed\'e8\'e5\'ec \'ec\'e5\'e6\'e4\'f3 \'ea\'ee\'f0\'ef\'ee\'f0\'e0\'f6\'e8\'e5\'e9 Microsoft (\'e8\'eb\'e8, \'e2 \'e7\'e0\'e2\'e8\'f1\'e8\'ec\'ee\'f1\'f2\'e8 \'ee\'f2 \'ec\'e5\'f1\'f2\'e0

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1049\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4150
                                          Entropy (8bit):5.444436038992627
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:17C652452E5EE930A7F1E5E312C17324
                                          SHA1:59F3308B87143D8EA0EA319A1F1A1F5DA5759DD3
                                          SHA-256:7333BC8E52548821D82B53DBD7D7C4AA1703C85155480CB83CEFD78380C95661
                                          SHA-512:53FD207B96D6BCF0A442E2D90B92E26CBB3ECC6ED71B753A416730E8067E831E9EB32981A9E9368C4CCA16AFBCB2051483FDCFC474EA8F0D652FCA934634FBE8
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.. <Control Control="InstallButton" X="275" Y="237" Width="110" Height="23"/>.... <String Id="Caption">......... ......... [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">........?</String>.. <String Id="HelpHeader">....... .. .........</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [.......] - ........., .............., ........ ..... ........ ...... ......... ..... ...... . ......... .. ......... - ............../passive | /quiet - ........... ....

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1055\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):13807
                                          Entropy (8bit):5.2077828423114045
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:9625F3A496DBF5E3E0D2F33D417EDBBF
                                          SHA1:119376730428812A31B70D58C873866D5307A775
                                          SHA-256:F80926604E503697247353F56856B31DE0B3FC1319F1C94068363952549CC9B1
                                          SHA-512:DB91A14FC27E3A62324E024DD44E3B5548AF7E1C021201C3D851BD2F32537885AACFC64ADAE619BAC31B60229D1D5FC653F5301CD7187C69BD0ACECCE817D6A3
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset238 Tahoma;}{\f2\fnil\fcharset238 Garamond;}{\f3\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT YAZILIMI L\f1\u304?SANS KO\'aaULLARI\par..\f0 MICROSOFT VISUAL C++ 2015 - 2022 \'c7ALI\f1\'aaMA S\f0\'dcRESI \par..\b0 Bu lisans ko\f1\'baullar\u305?, Microsoft Corporation (veya ya\'baad\u305?\u287?\u305?n\u305?z yere g\f0\'f6re bir ba\f1\u287?l\u305? \'bairketi) ile sizin aran\u305?zda yap\u305?lan s\f0\'f6zle\f1\'bameyi olu\'baturur. Bu ko\'baullar, yukar\u305?da ad\u305? ge\f0\'e7en yaz\f1\u305?l\u305?m i\f0\'e7in ge\'e7erlidir. \f1\'aaartlar, yaz\u305?l\u305?m i\f0\'e7in t\'fcm Microsoft hizmetleri veya g\'fcncelle\f1\'batirmeleri i\f0\'e7in, beraberlerinde farkl\f1\u305? \'baartlar bulunmad\u305?\u287?\u305? s\f0\'fcrece ge\'e7erlidir.\pa

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\1055\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3221
                                          Entropy (8bit):5.280530692056262
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:DEFBEA001DC4EB66553630AC7CE47CCA
                                          SHA1:90CED64EC7C861F03484B5D5616FDBCDA8F64788
                                          SHA-256:E5ABE3CB3BF84207DAC4E6F5BBA1E693341D01AEA076DD2D91EAA21C6A6CB925
                                          SHA-512:B3B7A22D0CDADA21A977F1DCEAF2D73212A4CDDBD298532B1AC97575F36113D45E8D71C60A6D8F8CC2E9DBF18EE1000167CFBF0B2E7ED6F05462D77E0BCA0E90
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] Kurulumu</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.ptal etmek istedi.inizden emin misiniz?</String>.. <String Id="HelpHeader">Kurulum Yard.m.</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [dizin] - y.kler, onar.r, kald.r.r ya da.. dizindeki paketin tam bir yerel kopyas.n. olu.turur. Varsay.lan install de.eridir...../passive | /quiet - en az d.zeyde istemsiz UI g.sterir ya da hi. UI g.stermez ve.. istem yoktur. Varsay.lan olarak UI ve t.m istemler g.r.nt.lenir...../norestart - yeniden ba.lama denemelerini engeller. Varsay.lan olarak UI yeniden ba.l

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\2052\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):18214
                                          Entropy (8bit):3.9837154113926356
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D083C7E300928A0C5AEA5ECBD1653836
                                          SHA1:08F4F1F9F7DFA593BE3977515635967CE7A99E7A
                                          SHA-256:A808B4933CE3B3E0893504DBEF43EBF90B8B567F94BD6481B6315ED9141E1B11
                                          SHA-512:8CB3FFAD879BABA36137B7A21B62D9D6C530693F5E16FBB975F3E7C20F1DB5A686F3A6EE406D69B018AA494E4CD185F71B369A378AE3289B8080105157E63FD0
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset134 SimSun;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 Microsoft \f1\'c8\'ed\'bc\'fe\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\f0\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0\f1\'d5\'e2\'d0\'a9\'d0\'ed\'bf\'c9\'cc\'f5\'bf\'ee\'ca\'c7\f0 Microsoft Corporation\f1\'a3\'a8\'bb\'f2\'c4\'fa\'cb\'f9\'d4\'da\'b5\'d8\'b5\'c4\f0 Microsoft \f1\'b9\'d8\'c1\'aa\'b9\'ab\'cb\'be\'a3\'a9\'d3\'eb\'c4\'fa\'d6\'ae\'bc\'e4\'b4\'ef\'b3\'c9\'b5\'c4\'d0\'ad\'d2\'e9\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'ca\'ca\'d3\'c3\'d3\'da\'c9\'cf\'ca\'f6\'c8\'ed\'bc\'fe\'a1\'a3\'d5\'e2\'d0\'a9\'cc\'f5\'bf\'ee\'d2\'b2\'ca\'ca\'d3\'c3\'d3\'da\'d5\'eb\'b6\'d4\'b8\'c3\'c8\'ed\'bc\'fe\'b5\'c4\'c8\'ce\'ba\'ce\f0 Microsoft \f1\'b7\'fe\'ce\'f1\'bb\'f2\'b8\'fc\'d0\'c2\'a3\'ac\'

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\2052\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2978
                                          Entropy (8bit):6.135205733555905
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3D1E15DEEACE801322E222969A574F17
                                          SHA1:58074C83775E1A884FED6679ACF9AC78ABB8A169
                                          SHA-256:2AC8B7C19A5189662DE36A0581C90DBAD96DF259EC00A28F609B644C3F39F9CA
                                          SHA-512:10797919845C57C5831234E866D730EBD13255E5BF8BA8087D53F1D0FC5D72DC6D5F6945DBEBEE69ACC6A2E20378750C4B78083AE0390632743C184532358E10
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">[WixBundleName] ....</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.......?</String>.. <String Id="HelpHeader">......</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [..] - .......... ..................Install ........../passive | /quiet - ..... UI ......... UI ... ........ UI ........../norestart - ..................... UI.../log log.txt - ............. %TEMP% ...

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\3082\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):10825
                                          Entropy (8bit):5.1113252296046126
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:873A413D23F830D3E87DAB3B94153E08
                                          SHA1:24CFC24F22CEF89818718A86F55F27606EB42668
                                          SHA-256:ABC11BB2B04DFF6AFE2D4D4F40D95A7D62E5AF352928AF90DAA3DADE58DD59BD
                                          SHA-512:DC1ECCB5CC4D3047401E2BC31F5EB3E21C7881C02744A2E63C10D3C911D1158DCFAC023988E873C33DC381C989304FE1D3CB27ED99D7801285C4C378553CD821
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 T\'c9RMINOS DE LICENCIA DEL SOFTWARE DE MICROSOFT\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 Los t\'e9rminos de esta licencia son un contrato entre Microsoft Corporation (o, en funci\'f3n de donde viva, una de las sociedades del grupo) y usted. Se aplican al software mencionado anteriormente. Los t\'e9rminos tambi\'e9n se aplican a los servicios o actualizaciones de software de Microsoft, excepto en la medida en que sus t\'e9rminos sean diferentes.\par..\b SI USTED CUMPLE LOS PRESENTES T\'c9RMINOS DE ESTA LICENCIA, DISPONDR\'c1 DE LOS DERECHOS QUE A CONTINUACI\'d3N SE DESCRIBEN.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb1

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\3082\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):3265
                                          Entropy (8bit):5.0491645049584655
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:47F9F8D342C9C22D0C9636BC7362FA8F
                                          SHA1:3922D1589E284CE76AB39800E2B064F71123C1C5
                                          SHA-256:9CBB2B312C100B309A1B1495E84E2228B937612885F7A642FBBD67969B632C3A
                                          SHA-512:E458DF875E9B0622AEBE3C1449868AA6A2826A1F851DB71165A872B2897CF870CCF85046944FF51FFC13BB15E54E9D9424EC36CAF5A2F38CE8B7D6DC0E9B2363
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29"/>.... <String Id="Caption">Instalaci.n de [WixBundleName]</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">.Est. seguro de que desea cancelar la operaci.n?</String>.. <String Id="HelpHeader">Ayuda de configuraci.n</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - instala, repara, desinstala o.. crea una copia local completa del paquete en el directorio. La opci.n predeterminada es la instalaci.n...../passive | /quiet - muestra una IU m.nima sin solicitudes o no muestra ninguna IU ni.. solicitud. De forma predeterminada, se muestran la IU y todas las solicitudes...../norestart - elimina cualquier intento

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\BootstrapperApplicationData.xml

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with very long lines (633), with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):15190
                                          Entropy (8bit):3.7409382498403283
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF582D7DDE516B304F9C065D5C7C14D0
                                          SHA1:C7469C443BDE7F981AFEB2B8915D6552D74DF578
                                          SHA-256:E3BECB81EF61964E7D969653B6DAC7C9873A46E58BAE4400AEB7656A04EAF5BE
                                          SHA-512:F9B7A054FF0F8C31DA1EFA5695B70FDCDF69E7EAE34854F08242FDB8AD30D7EFA5E3D118370FB7C91FE7C8D115C7AA77A98EEDA6EA2E2A3BAA665BE018A946CF
                                          Malicious:false
                                          Reputation:low
                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a. .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.x./.2.0.1.0./.B.o.o.t.s.t.r.a.p.p.e.r.A.p.p.l.i.c.a.t.i.o.n.D.a.t.a.".>..... . .<.W.i.x.B.a.l.C.o.n.d.i.t.i.o.n. .C.o.n.d.i.t.i.o.n.=.".V.e.r.s.i.o.n.N.T. .&.g.t.;.=. .v.6...1.". .M.e.s.s.a.g.e.=.".[.W.i.x.B.u.n.d.l.e.N.a.m.e.]. .c.a.n. .o.n.l.y. .b.e. .i.n.s.t.a.l.l.e.d. .o.n. .W.i.n.d.o.w.s. .7. .a.n.d. .n.e.w.e.r. .p.l.a.t.f.o.r.m.s...". ./.>..... . .<.W.i.x.B.u.n.d.l.e.P.r.o.p.e.r.t.i.e.s. .D.i.s.p.l.a.y.N.a.m.e.=.".M.i.c.r.o.s.o.f.t. .V.i.s.u.a.l. .C.+.+. .2.0.1.5.-.2.0.2.2. .R.e.d.i.s.t.r.i.b.u.t.a.b.l.e. .(.x.6.4.). .-. .1.4...3.6...3.2.5.3.2.". .L.o.g.P.a.t.h.V.a.r.i.a.b.l.e.=.".W.i.x.B.u.n.d.l.e.L.o.g.". .C.o.m.p.r.e.s.s.e.d.=.".y.e.s.". .I.d.=.".{.8.b.d.f.e.6.6.9.-.9.7.0.5.-.4.1.8.4.-.9.3.6.8.-.d.b.9.c.e.5.8.1.e.0.e.7.}.". .U.p.g.r.a.d.e.C.o.d.e.=.".{.C.1.4.6.E.

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\license.rtf

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:Rich Text Format data, version 1, ANSI, code page 1252, default language ID 1033
                                          Category:dropped
                                          Size (bytes):9235
                                          Entropy (8bit):5.167332119309966
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04B33F0A9081C10E85D0E495A1294F83
                                          SHA1:1EFE2FB2D014A731B752672745F9FFECDD716412
                                          SHA-256:8099DC3CF9502C335DA829E5C755948A12E3E6DE490EB492A99DEB673D883D8B
                                          SHA-512:D1DBED00DF921169DD61501E2A3E95E6D7807348B188BE9DD8FC63423501E4D848ECE19AC466C3CACFCCC6084E0EB2F457DC957990F6F511DF10FD426E432685
                                          Malicious:false
                                          Reputation:low
                                          Preview:{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Tahoma;}{\f1\fnil\fcharset0 Garamond;}{\f2\fnil\fcharset2 Symbol;}}..{\colortbl ;\red0\green32\blue96;\red0\green0\blue255;}..{\*\generator Riched20 10.0.19041}\viewkind4\uc1 ..\pard\sb120\sa120\sl240\slmult1\b\f0\fs20\lang9 MICROSOFT SOFTWARE LICENSE TERMS\par..MICROSOFT VISUAL C++ 2015 - 2022 RUNTIME \par..\b0 These license terms are an agreement between Microsoft Corporation (or based on where you live, one of its affiliates) and you. They apply to the software named above. The terms also apply to any Microsoft services or updates for the software, except to the extent those have different terms.\par..\b IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\fi-357\li357\sb120\sa120\sl240\slmult1\tx360 INSTALLATION AND USE RIGHTS. \b0\par....\pard{\pntext\f2\'B7\tab}{\*\pn\pnlvlblt\pnf2\pnindent360{\pntxtb\'B7}}\f

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\logo.png

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:PNG image data, 64 x 64, 8-bit colormap, non-interlaced
                                          Category:dropped
                                          Size (bytes):1861
                                          Entropy (8bit):6.868587546770907
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:D6BD210F227442B3362493D046CEA233
                                          SHA1:FF286AC8370FC655AEA0EF35E9CF0BFCB6D698DE
                                          SHA-256:335A256D4779EC5DCF283D007FB56FD8211BBCAF47DCD70FE60DED6A112744EF
                                          SHA-512:464AAAB9E08DE610AD34B97D4076E92DC04C2CDC6669F60BFC50F0F9CE5D71C31B8943BD84CEE1A04FB9AB5BBED3442BD41D9CB21A0DD170EA97C463E1CE2B5B
                                          Malicious:false
                                          Reputation:low
                                          Preview:.PNG........IHDR...@...@.............sRGB.........gAMA......a.....PLTE].q^.r_.r_.s`.s`.s`.ta.ta.ub.ub.vc.vd.vd.vd.we.we.xe.xg.yg yg zh zh"zi"{j#|i${j$|n*~n*.n,.o,.p..q0.r2.s3.t5.x;.x<.y>.z?.|B.~C.}E..F..F..H..I..J..L..O..P..W..Y..^..a..c..g..i..q..r..}.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................S......pHYs..%...%....^.....tEXtSoftware.Paint.NET v3.5.100.r.....IDATXG..iW.@...EJ.$M...`AEpG..7TpWT@\.."....(..(.._;...di:9.c>q..g....T...._...-....F..+..w.

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\thm.wxl

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):2952
                                          Entropy (8bit):5.052095286906672
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FBFCBC4DACC566A3C426F43CE10907B6
                                          SHA1:63C45F9A771161740E100FAF710F30EED017D723
                                          SHA-256:70400F181D00E1769774FF36BCD8B1AB5FBC431418067D31B876D18CC04EF4CE
                                          SHA-512:063FB6685EE8D2FA57863A74D66A83C819FE848BA3072B6E7D1B4FE397A9B24A1037183BB2FDA776033C0936BE83888A6456AAE947E240521E2AB75D984EE35E
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. .. Copyright (c) Microsoft Corporation. All rights reserved...-->..<WixLocalization Culture="en-us" xmlns="http://schemas.microsoft.com/wix/2006/localization">.. <Control Control="EulaAcceptCheckbox" X="11" Y="-41" Width="-11" Height="29" />.... <String Id="Caption">[WixBundleName] Setup</String>.. <String Id="Title">[WixBundleName]</String>.. <String Id="ConfirmCancelMessage">Are you sure you want to cancel?</String>.. <String Id="HelpHeader">Setup Help</String>.. <String Id="HelpText">/install | /repair | /uninstall | /layout [directory] - installs, repairs, uninstalls or.. creates a complete local copy of the bundle in directory. Install is the default...../passive | /quiet - displays minimal UI with no prompts or displays no UI and.. no prompts. By default UI and all prompts are displayed...../norestart - suppress any attempts to restart. By default UI will prompt before restart.../log log.txt - logs to a specific file. B

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\thm.xml

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8332
                                          Entropy (8bit):5.184632608060528
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:F62729C6D2540015E072514226C121C7
                                          SHA1:C1E189D693F41AC2EAFCC363F7890FC0FEA6979C
                                          SHA-256:F13BAE0EC08C91B4A315BB2D86EE48FADE597E7A5440DCE6F751F98A3A4D6916
                                          SHA-512:CBBFBFA7E013A2B85B78D71D32FDF65323534816978E7544CA6CEA5286A0F6E8E7E5FFC4C538200211F11B94373D5658732D5D8AA1D01F9CCFDBF20F154F1471
                                          Malicious:false
                                          Reputation:low
                                          Preview:<?xml version="1.0" encoding="utf-8"?>.. Copyright (c) .NET Foundation and contributors. All rights reserved. Licensed under the Microsoft Reciprocal License. See LICENSE.TXT file in the project root for full license information. -->......<Theme xmlns="http://wixtoolset.org/schemas/thmutil/2010">.. <Window Width="485" Height="300" HexStyle="100a0000" FontId="0">#(loc.Caption)</Window>.. <Font Id="0" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="1" Height="-24" Weight="500" Foreground="000000">Segoe UI</Font>.. <Font Id="2" Height="-22" Weight="500" Foreground="666666">Segoe UI</Font>.. <Font Id="3" Height="-12" Weight="500" Foreground="000000" Background="FFFFFF">Segoe UI</Font>.. <Font Id="4" Height="-12" Weight="500" Foreground="ff0000" Background="FFFFFF" Underline="yes">Segoe UI</Font>.... <Image X="11" Y="11" Width="64" Height="64" ImageFile="logo.png" Visible="yes"/>.. <Text X="80" Y="11" Width="-11" Heig

                                          C:\Windows\Temp\{B976E2F9-3909-4892-836B-D192F6E9E285}\.ba\wixstdba.dll

                                          Download File
                                          Process:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):195600
                                          Entropy (8bit):6.682530937585544
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:EAB9CAF4277829ABDF6223EC1EFA0EDD
                                          SHA1:74862ECF349A9BEDD32699F2A7A4E00B4727543D
                                          SHA-256:A4EFBDB2CE55788FFE92A244CB775EFD475526EF5B61AD78DE2BCDFADDAC7041
                                          SHA-512:45B15ADE68E0A90EA7300AEB6DCA9BC9E347A63DBA5CE72A635957564D1BDF0B1584A5E34191916498850FC7B3B7ECFBCBFCB246B39DBF59D47F66BC825C6FD2
                                          Malicious:false
                                          Reputation:low
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..R...R...R..h.N..R..h.L.R..h.M..R.......R.......R.......R...*<..R...*,..R...R...S..K....R..K....R..N.@..R...R(..R..K....R..Rich.R..................PE..L......Z...........!................d.....................................................@..............................................................D......,.......T...............................@...............X............................text............................... ..`.rdata.............................@..@.data...............................@....gfids..............................@..@.rsrc...............................@..@.reloc..,...........................@..B........................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF03265D26CC75281D.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF03BC572DF3264228.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF046B4B26D3D7403D.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF07961934D0179AB3.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2512345728918484
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04546A40852536A121036A0B9A65C4BA
                                          SHA1:BDE7C93148CBF37D5039C00DB2E7D1E4D8317933
                                          SHA-256:63A778989CC49C7B05A0EC40E7A50DCD4D4C86AF956E98568AADE025F0156971
                                          SHA-512:F7A7D6C0AB3FC70A9F518BA92C8A5F40A14D5A4E1D358C725B6D3B98DB10860A197013A9EBCF0F7C47677456068D626398B0A44D2B1981D1A579FEB84B7A128C
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF0C82397C124D2A2D.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):69632
                                          Entropy (8bit):0.14427282608827885
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:3011EECD54B4CEBD8110BF9247E8E914
                                          SHA1:2A070085D9AAABCC1B834938DB1678EFA0E3EAD3
                                          SHA-256:F8F3EF97AE48EDE6910C1313E1112C91FFB84ADBBE4B1EAC43B5CBE309D30F69
                                          SHA-512:0568429BB577BBB0E6E1ADC546C3161B0225BDE9AC287645018A95649296717FFB74C8318F245BD874657F9FFB3F95E4D87F3EC65125B08CC54F8851F575798B
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF103C3FB7249A30B2.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF18C7A1626D568FD8.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF200BD27E31CA6C8F.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):0.10317546984807693
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:61C0E72E97C831721016EEF01BC314A5
                                          SHA1:AF78F5F7B054660650464940D2EF2173B3D75613
                                          SHA-256:8D20DA0D8D26EC629F052DBE872F46EEFC24EF0412594DDFFA166095CF991F70
                                          SHA-512:B1EDF62D47EBC767C425B29BE00A8FEB36F528298299087765C6FB77E05F8A5A2898C2EC820716FE726048B9D2C8FC019BA43CE5C3637D9D942A6033A132AECE
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF206EA652746D271E.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2445340365806574
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:EC57618134DC4E553B0465A79D58DE3A
                                          SHA1:3C642F7F0AA52F9F19970ACA9E5889736A8115AF
                                          SHA-256:C4CFC0C04FFC6E9DF1FED8D290583CD1799222E0CAD99F67181660A80C46B110
                                          SHA-512:81EB37FEAA1144DBCB9D7F5C2A0F9B4D22E811F7F63E6270595BB3990C823E60FE49EA34540234FC0E323981847AEBC2A4B9FFAB20A9BFC08AAB3703557560B1
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF2088C170CBC28D9D.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF209D6AE9F0DB5C98.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.254735979514475
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A5ED01F8610A5E2ECFA8794A047EE4D2
                                          SHA1:C751C27AD73F2AE64FD9498BA1BED664CD831699
                                          SHA-256:CAD8A5E787139C5472AD2CF9E555FAF634B3EBB4D1DA734634F72A89FD97905C
                                          SHA-512:72392CEE820635CC7107D260B535AEE6B5406A5AF224ED65D7FE8CD728DEF5330BD6D67F11B9E92949FA0F31F1ABA8871A5C71922E302D0E989522383954E254
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF20E6D6DE4F727119.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF3216F11901B20A19.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF3298CA38C4BC0FC6.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):73728
                                          Entropy (8bit):0.1316704607154622
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C765AAF61D16BEA7637722E03A38DC2D
                                          SHA1:E9E7F3D3966D2DA250DA3385FD0A139D259ED30D
                                          SHA-256:AC37547F0CBBFC3C778BD33ADE91FEF758DAA9BCDAD6E553F1DBE677569207EB
                                          SHA-512:938A379D3B8B7862C75BBFDAE7FCB661B30F8742A44CD192363969D7851C5F1046E4115EAB21FC623B0A6C16EF278375155A62A0C73EEF332FA9B85CE55A31E9
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF3461669B416B2499.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2512345728918484
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04546A40852536A121036A0B9A65C4BA
                                          SHA1:BDE7C93148CBF37D5039C00DB2E7D1E4D8317933
                                          SHA-256:63A778989CC49C7B05A0EC40E7A50DCD4D4C86AF956E98568AADE025F0156971
                                          SHA-512:F7A7D6C0AB3FC70A9F518BA92C8A5F40A14D5A4E1D358C725B6D3B98DB10860A197013A9EBCF0F7C47677456068D626398B0A44D2B1981D1A579FEB84B7A128C
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF34B6D683B9D77632.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.55014320370588
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:07BFD9607737A418AA262E1448742925
                                          SHA1:D800EB3428D440D60A09B12AB77CA131605135E8
                                          SHA-256:06DBCB327E4C26428DC68C8EC2D9AF3D6CA66888CED1446F3A830A022DD27227
                                          SHA-512:9B0FEFCBAD07817DF4A22920D06AF07F7A2214B6903A0E3D5AF217EFCBB172366828A10AEADD6E8F23F93A5C55FD8378B92C5B24412423D67F1FA8D90777377B
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF41129632F3E174BA.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF4199557DB1D5C69A.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.254735979514475
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A5ED01F8610A5E2ECFA8794A047EE4D2
                                          SHA1:C751C27AD73F2AE64FD9498BA1BED664CD831699
                                          SHA-256:CAD8A5E787139C5472AD2CF9E555FAF634B3EBB4D1DA734634F72A89FD97905C
                                          SHA-512:72392CEE820635CC7107D260B535AEE6B5406A5AF224ED65D7FE8CD728DEF5330BD6D67F11B9E92949FA0F31F1ABA8871A5C71922E302D0E989522383954E254
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF48CE8F0DBF8F9DA1.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF4937D48D67F6E336.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF4A8C30CC71695C3A.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF4C8D5E9F7D287638.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2512345728918484
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04546A40852536A121036A0B9A65C4BA
                                          SHA1:BDE7C93148CBF37D5039C00DB2E7D1E4D8317933
                                          SHA-256:63A778989CC49C7B05A0EC40E7A50DCD4D4C86AF956E98568AADE025F0156971
                                          SHA-512:F7A7D6C0AB3FC70A9F518BA92C8A5F40A14D5A4E1D358C725B6D3B98DB10860A197013A9EBCF0F7C47677456068D626398B0A44D2B1981D1A579FEB84B7A128C
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF50BE865B5B73C112.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2406942696870968
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:57A97FDD78824B284106A0B86CF98AE8
                                          SHA1:CD187BEADE06742A68D827E3527B12AA2AE94F25
                                          SHA-256:1C27FC7D8B1A7414C4E9747EB696128CDE365CAD83ED4DC60F5546AF04ED7297
                                          SHA-512:EDDDF190AAC1DC809D74AE571C43633166C125214861B31CEF9489B4553D165FFE3E078F506E5A4C22DB52D128C04AC6DE97ABA496D4BCB5F3A4583FAFA34FFD
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF521346B13BC8843B.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2512345728918484
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04546A40852536A121036A0B9A65C4BA
                                          SHA1:BDE7C93148CBF37D5039C00DB2E7D1E4D8317933
                                          SHA-256:63A778989CC49C7B05A0EC40E7A50DCD4D4C86AF956E98568AADE025F0156971
                                          SHA-512:F7A7D6C0AB3FC70A9F518BA92C8A5F40A14D5A4E1D358C725B6D3B98DB10860A197013A9EBCF0F7C47677456068D626398B0A44D2B1981D1A579FEB84B7A128C
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF54EDF250CC957A03.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF5673C5390539EC62.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF58F252F12B00BEDA.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF59EA196DA3CD0680.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF5E22BECCFFE0A632.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.55014320370588
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:07BFD9607737A418AA262E1448742925
                                          SHA1:D800EB3428D440D60A09B12AB77CA131605135E8
                                          SHA-256:06DBCB327E4C26428DC68C8EC2D9AF3D6CA66888CED1446F3A830A022DD27227
                                          SHA-512:9B0FEFCBAD07817DF4A22920D06AF07F7A2214B6903A0E3D5AF217EFCBB172366828A10AEADD6E8F23F93A5C55FD8378B92C5B24412423D67F1FA8D90777377B
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF61091E297E87F5FF.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.254735979514475
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A5ED01F8610A5E2ECFA8794A047EE4D2
                                          SHA1:C751C27AD73F2AE64FD9498BA1BED664CD831699
                                          SHA-256:CAD8A5E787139C5472AD2CF9E555FAF634B3EBB4D1DA734634F72A89FD97905C
                                          SHA-512:72392CEE820635CC7107D260B535AEE6B5406A5AF224ED65D7FE8CD728DEF5330BD6D67F11B9E92949FA0F31F1ABA8871A5C71922E302D0E989522383954E254
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF69C73473A346F0BE.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5656695536120557
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:AEE4F88E4A8D71E25ED2709CC6C61E10
                                          SHA1:BB12FB72F1B650189BD6E0EB48C752CAD750B4CE
                                          SHA-256:CE0A72E4C6438FEC81E9FD2808A0DB09959B20BDE2FA1A7330B0E9D7E52CD66F
                                          SHA-512:A1465D277650BB6C477910DEC5279E15C84A852656553088805CCE36CCAC178D80C8EA3C36F53384A57AE709DA8BDD81EE885DF1A1FB7E5BC0B8F0E4B77684A2
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF6D6F450F668BFC08.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF79AA3FE1239B3FDB.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2406942696870968
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:57A97FDD78824B284106A0B86CF98AE8
                                          SHA1:CD187BEADE06742A68D827E3527B12AA2AE94F25
                                          SHA-256:1C27FC7D8B1A7414C4E9747EB696128CDE365CAD83ED4DC60F5546AF04ED7297
                                          SHA-512:EDDDF190AAC1DC809D74AE571C43633166C125214861B31CEF9489B4553D165FFE3E078F506E5A4C22DB52D128C04AC6DE97ABA496D4BCB5F3A4583FAFA34FFD
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF7A287F08492C5ED0.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.254735979514475
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A5ED01F8610A5E2ECFA8794A047EE4D2
                                          SHA1:C751C27AD73F2AE64FD9498BA1BED664CD831699
                                          SHA-256:CAD8A5E787139C5472AD2CF9E555FAF634B3EBB4D1DA734634F72A89FD97905C
                                          SHA-512:72392CEE820635CC7107D260B535AEE6B5406A5AF224ED65D7FE8CD728DEF5330BD6D67F11B9E92949FA0F31F1ABA8871A5C71922E302D0E989522383954E254
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF837022301991143E.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.254735979514475
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A5ED01F8610A5E2ECFA8794A047EE4D2
                                          SHA1:C751C27AD73F2AE64FD9498BA1BED664CD831699
                                          SHA-256:CAD8A5E787139C5472AD2CF9E555FAF634B3EBB4D1DA734634F72A89FD97905C
                                          SHA-512:72392CEE820635CC7107D260B535AEE6B5406A5AF224ED65D7FE8CD728DEF5330BD6D67F11B9E92949FA0F31F1ABA8871A5C71922E302D0E989522383954E254
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF84B763183F2588F7.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5656695536120557
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:AEE4F88E4A8D71E25ED2709CC6C61E10
                                          SHA1:BB12FB72F1B650189BD6E0EB48C752CAD750B4CE
                                          SHA-256:CE0A72E4C6438FEC81E9FD2808A0DB09959B20BDE2FA1A7330B0E9D7E52CD66F
                                          SHA-512:A1465D277650BB6C477910DEC5279E15C84A852656553088805CCE36CCAC178D80C8EA3C36F53384A57AE709DA8BDD81EE885DF1A1FB7E5BC0B8F0E4B77684A2
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF8DB2429154012413.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5702617092973745
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FCC3534800303083102E692518997607
                                          SHA1:9122D7800A4D24F4ACD59AEB994A4737D55B55D4
                                          SHA-256:8324590A01C123FCC4F15797197554077BA0F291A7CE302DC7D997F257DECDC5
                                          SHA-512:6E7079135475ACBFB2C395C5C3A05E5392C9CBC2B1E297A31E7D4C10132712F0D33F032FD7D10EF46F5F5D665A52F23B236DA0848DD8BEEF514847CE2F221C9E
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF8E253351D3821B1D.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2406942696870968
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:57A97FDD78824B284106A0B86CF98AE8
                                          SHA1:CD187BEADE06742A68D827E3527B12AA2AE94F25
                                          SHA-256:1C27FC7D8B1A7414C4E9747EB696128CDE365CAD83ED4DC60F5546AF04ED7297
                                          SHA-512:EDDDF190AAC1DC809D74AE571C43633166C125214861B31CEF9489B4553D165FFE3E078F506E5A4C22DB52D128C04AC6DE97ABA496D4BCB5F3A4583FAFA34FFD
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF8E4F8BBC024B2440.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):69632
                                          Entropy (8bit):0.14204877610768943
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:B30E65A277F57C8D70D6AB15C74D8482
                                          SHA1:73C81B4C2D472B359F4542E70602BCFBA56A0094
                                          SHA-256:B16A4928F9ECD05C5CB6679E1DD6E1AC663A9829C5A09B4A9613477AB2534E21
                                          SHA-512:D8B04D8E886C7171838B77CD6FE73982F3AD5DAB64D35E4A5C4F603E7CB531D358D4ABF88FDF250BEB2092964BF7AE8CB5ED15ABE4442ACCB9AB7A3812C927AB
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF8F59D665823E59A7.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5555209379595687
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:503777C97B2719DCE1CAC0664192CA94
                                          SHA1:75323D217707F01E3A8BF9EAFF40D8527EECA4FD
                                          SHA-256:2BF7A777C66A6E8399631CDC902BDC38F8602D59F2E4A9430A35971B24E9A444
                                          SHA-512:56681004733C5368DA7B9511670D4181BE8920B23260DF9E14C6246A552F049411A5EF8A8F22C49128EF0A5A44E68E302C462A0E9ADF43C86658158137D6C850
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF92AA15F82F7E849C.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):73728
                                          Entropy (8bit):0.12946981199201027
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:C5F4C7CC5AA3F8C483068867D08EEF77
                                          SHA1:52620AF20D4CB5705AFE26F6FD48A6FC19C053E3
                                          SHA-256:C0864077305BA02A5F9C9726B7B086A9D717023C5E84E91931368FEA7DEE1EF1
                                          SHA-512:06B88CF78FFA555D8980A2A6C7442771CA91E47F518F72C87A787AE3A1E710872F643A12F98390102B3378F7E5D39E92CEFFAD23C4F0F2EE2F366FA29D34F730
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF94845E028A47271A.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2445340365806574
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:EC57618134DC4E553B0465A79D58DE3A
                                          SHA1:3C642F7F0AA52F9F19970ACA9E5889736A8115AF
                                          SHA-256:C4CFC0C04FFC6E9DF1FED8D290583CD1799222E0CAD99F67181660A80C46B110
                                          SHA-512:81EB37FEAA1144DBCB9D7F5C2A0F9B4D22E811F7F63E6270595BB3990C823E60FE49EA34540234FC0E323981847AEBC2A4B9FFAB20A9BFC08AAB3703557560B1
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF959777EEDBFAE399.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DF99C91BB223B27BE2.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5702617092973745
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:FCC3534800303083102E692518997607
                                          SHA1:9122D7800A4D24F4ACD59AEB994A4737D55B55D4
                                          SHA-256:8324590A01C123FCC4F15797197554077BA0F291A7CE302DC7D997F257DECDC5
                                          SHA-512:6E7079135475ACBFB2C395C5C3A05E5392C9CBC2B1E297A31E7D4C10132712F0D33F032FD7D10EF46F5F5D665A52F23B236DA0848DD8BEEF514847CE2F221C9E
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFA2F456A3EE3D66F7.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFA53DF0B3C8FF5D91.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFA691185557B3B385.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):0.10193845076784563
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:5288D9DDD9712395CFC8E20E03DE496E
                                          SHA1:1F2A91B410C41E3F5C941EF5E045F2E71ACE106E
                                          SHA-256:A7782501328B1C45DFDD286F9D4479E55F96041F936DA3599B7E767666AD5789
                                          SHA-512:3464E7D43BF91DF444CAD78C4F3DBF64344EC681A3A4EFF7889C2B4FD54AF4E08CE2A23F05AB9D77B67602073DF9B2055F5E084D459C0D73AE8A03A7202550B6
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFA89BFE2E7F50B28A.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.254735979514475
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:A5ED01F8610A5E2ECFA8794A047EE4D2
                                          SHA1:C751C27AD73F2AE64FD9498BA1BED664CD831699
                                          SHA-256:CAD8A5E787139C5472AD2CF9E555FAF634B3EBB4D1DA734634F72A89FD97905C
                                          SHA-512:72392CEE820635CC7107D260B535AEE6B5406A5AF224ED65D7FE8CD728DEF5330BD6D67F11B9E92949FA0F31F1ABA8871A5C71922E302D0E989522383954E254
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFB90111E07AA7E9F3.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2445340365806574
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:EC57618134DC4E553B0465A79D58DE3A
                                          SHA1:3C642F7F0AA52F9F19970ACA9E5889736A8115AF
                                          SHA-256:C4CFC0C04FFC6E9DF1FED8D290583CD1799222E0CAD99F67181660A80C46B110
                                          SHA-512:81EB37FEAA1144DBCB9D7F5C2A0F9B4D22E811F7F63E6270595BB3990C823E60FE49EA34540234FC0E323981847AEBC2A4B9FFAB20A9BFC08AAB3703557560B1
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFC03718E95A8A4665.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFC72B92F2D46B6FD1.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFC819E7F3B1AB1D03.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFCB72189F14360259.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):20480
                                          Entropy (8bit):1.5555209379595687
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:503777C97B2719DCE1CAC0664192CA94
                                          SHA1:75323D217707F01E3A8BF9EAFF40D8527EECA4FD
                                          SHA-256:2BF7A777C66A6E8399631CDC902BDC38F8602D59F2E4A9430A35971B24E9A444
                                          SHA-512:56681004733C5368DA7B9511670D4181BE8920B23260DF9E14C6246A552F049411A5EF8A8F22C49128EF0A5A44E68E302C462A0E9ADF43C86658158137D6C850
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFD89EE7FD8AA9F1A1.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFE6484A7DD4BEF42B.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2512345728918484
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04546A40852536A121036A0B9A65C4BA
                                          SHA1:BDE7C93148CBF37D5039C00DB2E7D1E4D8317933
                                          SHA-256:63A778989CC49C7B05A0EC40E7A50DCD4D4C86AF956E98568AADE025F0156971
                                          SHA-512:F7A7D6C0AB3FC70A9F518BA92C8A5F40A14D5A4E1D358C725B6D3B98DB10860A197013A9EBCF0F7C47677456068D626398B0A44D2B1981D1A579FEB84B7A128C
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFE9A7EA4E76355685.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:Composite Document File V2 Document, Cannot read section info
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):1.2512345728918484
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:04546A40852536A121036A0B9A65C4BA
                                          SHA1:BDE7C93148CBF37D5039C00DB2E7D1E4D8317933
                                          SHA-256:63A778989CC49C7B05A0EC40E7A50DCD4D4C86AF956E98568AADE025F0156971
                                          SHA-512:F7A7D6C0AB3FC70A9F518BA92C8A5F40A14D5A4E1D358C725B6D3B98DB10860A197013A9EBCF0F7C47677456068D626398B0A44D2B1981D1A579FEB84B7A128C
                                          Malicious:false
                                          Reputation:low
                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFEEC464E185BBB678.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFF9102AD431E7385B.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):0.10340253801680628
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:7B470BE37941C08E86CC5EED707A5B59
                                          SHA1:26E5FC7D0DAAA9EAD7141B85AFBB5CC3703AD3EE
                                          SHA-256:AC4ABC1480EAB8940840F4334FAB916D372E8F3A1069C4998DE3EA46FED3B03F
                                          SHA-512:48734CFE51142820A436B0B7AA1F7161673BC9756AF07FF6A904E85F4EFA32B3188066DA631A082011006CF17B963AD05C5C58A6531A0E0147EA2440CF6F39E6
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFFB1258A92FAED1A6.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):32768
                                          Entropy (8bit):0.10232782618336174
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:E0A315D7F3562E59B9DBA6FB3661B54A
                                          SHA1:7AF53004042EE570954CB9DDB709C5E44A4D914E
                                          SHA-256:D0EBFD10C59A0967952383CE554E2B60EC9D02EE04B45D84B52DADEBC67E089A
                                          SHA-512:F4FDD567DBB28DB87461A49FD6C2F5B44215A894ACABB996DC0F70BA44EE64A2806FC9F86CA7C79EF49B46BA73BDFE53A6BDD232E52E44CC3961F699BED5EC5F
                                          Malicious:false
                                          Reputation:low
                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          C:\Windows\Temp\~DFFD14E697DD969620.TMP

                                          Download File
                                          Process:C:\Windows\System32\msiexec.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):512
                                          Entropy (8bit):0.0
                                          Encrypted:false
                                          SSDEEP:
                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                          Malicious:false
                                          Reputation:low
                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          No static file info

                                          Network Behavior

                                          Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:01:58:34
                                          Start date:13/01/2025
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe" > cmdline.out 2>&1
                                          Imagebase:0x240000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:1
                                          Start time:01:58:34
                                          Start date:13/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:2
                                          Start time:01:58:35
                                          Start date:13/01/2025
                                          Path:C:\Windows\SysWOW64\wget.exe
                                          Wow64 process (32bit):true
                                          Commandline:wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "https://www.danielgm.net/cc/release/CloudCompare_v2.14.alpha_setup_x64.exe"
                                          Imagebase:0x400000
                                          File size:3'895'184 bytes
                                          MD5 hash:3DADB6E2ECE9C4B3E1E322E617658B60
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:02:02:55
                                          Start date:13/01/2025
                                          Path:C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe"
                                          Imagebase:0x400000
                                          File size:355'083'480 bytes
                                          MD5 hash:4FA9171C45161772572CB136422EA7FD
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:02:02:55
                                          Start date:13/01/2025
                                          Path:C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-KHGFO.tmp\CloudCompare_v2.14.alpha_setup_x64.tmp" /SL5="$B01CE,353634964,780800,C:\Users\user\Desktop\download\CloudCompare_v2.14.alpha_setup_x64.exe"
                                          Imagebase:0x400000
                                          File size:3'024'000 bytes
                                          MD5 hash:CA9D0BC1FC3C0AEBE22047A2DCBCD715
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:02:03:32
                                          Start date:13/01/2025
                                          Path:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestart
                                          Imagebase:0xff0000
                                          File size:7'200'744 bytes
                                          MD5 hash:49B1164F8E95EC6409EA83CDB352D8DA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:02:03:32
                                          Start date:13/01/2025
                                          Path:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\vcredist_2013_x64.exe" /install /quiet /norestart -burn.unelevated BurnPipe.{52F10DF7-B7C8-4B5E-AFC8-2BA7C00A35CC} {589A9A7F-E5FB-4992-ADCC-7C833A7A6873} 1628
                                          Imagebase:0xff0000
                                          File size:7'200'744 bytes
                                          MD5 hash:49B1164F8E95EC6409EA83CDB352D8DA
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:02:03:45
                                          Start date:13/01/2025
                                          Path:C:\Windows\System32\SrTasks.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:1
                                          Imagebase:0x7ff6a44b0000
                                          File size:59'392 bytes
                                          MD5 hash:2694D2D28C368B921686FE567BD319EB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:02:03:45
                                          Start date:13/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:02:03:47
                                          Start date:13/01/2025
                                          Path:C:\Windows\System32\msiexec.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                          Imagebase:0x7ff6cfab0000
                                          File size:69'632 bytes
                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:20
                                          Start time:02:03:51
                                          Start date:13/01/2025
                                          Path:C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" /install /quiet /norestart
                                          Imagebase:0x40000
                                          File size:25'640'112 bytes
                                          MD5 hash:223A76CD5AB9E42A5C55731154B85627
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:21
                                          Start time:02:03:52
                                          Start date:13/01/2025
                                          Path:C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Temp\{6E2C42D3-052D-4167-B3F2-8653B9DDDB02}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\user\AppData\Local\Temp\is-MFS7L.tmp\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=684 /install /quiet /norestart
                                          Imagebase:0xf40000
                                          File size:686'136 bytes
                                          MD5 hash:3F32F1A9BD60AE065B89C2223676592E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:22
                                          Start time:02:03:53
                                          Start date:13/01/2025
                                          Path:C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Temp\{9ED1A8B2-07C2-429C-85C4-B05A42491CC0}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{60D065C7-249B-4C30-AB63-A887FF5234A5} {42CC66AD-E068-43D3-BEEF-9923C01C6D50} 1168
                                          Imagebase:0xe00000
                                          File size:686'136 bytes
                                          MD5 hash:3F32F1A9BD60AE065B89C2223676592E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:24
                                          Start time:02:03:59
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe" /burn.runonce
                                          Imagebase:0x830000
                                          File size:465'992 bytes
                                          MD5 hash:3284088A2D414D65E865004FDB641936
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:25
                                          Start time:02:04:02
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\vcredist_x64.exe"
                                          Imagebase:0x830000
                                          File size:465'992 bytes
                                          MD5 hash:3284088A2D414D65E865004FDB641936
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:26
                                          Start time:02:04:06
                                          Start date:13/01/2025
                                          Path:C:\Windows\System32\SrTasks.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                          Imagebase:0x7ff6a44b0000
                                          File size:59'392 bytes
                                          MD5 hash:2694D2D28C368B921686FE567BD319EB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:27
                                          Start time:02:04:06
                                          Start date:13/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7699e0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:28
                                          Start time:02:04:13
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
                                          Imagebase:0x370000
                                          File size:650'592 bytes
                                          MD5 hash:35E545DAC78234E4040A99CBB53000AC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:29
                                          Start time:02:04:13
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -burn.filehandle.attached=640 -burn.filehandle.self=648 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=1076 -burn.embedded BurnPipe.{D12062C8-32D1-4D95-9427-EFB8FB4659AF} {9F88753D-DF7E-4F79-A3B9-627D7E10415E} 6156
                                          Imagebase:0x370000
                                          File size:650'592 bytes
                                          MD5 hash:35E545DAC78234E4040A99CBB53000AC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:30
                                          Start time:02:04:14
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{935F69E9-7A94-4F90-8C25-27F6F541247F} {146765A4-B826-46FA-82C4-51D72A57D3AB} 5532
                                          Imagebase:0x370000
                                          File size:650'592 bytes
                                          MD5 hash:35E545DAC78234E4040A99CBB53000AC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:31
                                          Start time:02:04:18
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" /burn.runonce
                                          Imagebase:0xeb0000
                                          File size:686'136 bytes
                                          MD5 hash:3F32F1A9BD60AE065B89C2223676592E
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:32
                                          Start time:02:04:18
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe"
                                          Imagebase:0xeb0000
                                          File size:686'136 bytes
                                          MD5 hash:3F32F1A9BD60AE065B89C2223676592E
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:33
                                          Start time:02:04:18
                                          Start date:13/01/2025
                                          Path:C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{804e7d66-ccc2-4c12-84ba-476da31d103d}\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=560
                                          Imagebase:0xeb0000
                                          File size:686'136 bytes
                                          MD5 hash:3F32F1A9BD60AE065B89C2223676592E
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          General

                                          Target ID:34
                                          Start time:02:04:22
                                          Start date:13/01/2025
                                          Path:C:\Windows\System32\LogonUI.exe
                                          Wow64 process (32bit):false
                                          Commandline:"LogonUI.exe" /flags:0x4 /state0:0xa3f5d855 /state1:0x41c64e6d
                                          Imagebase:0x7ff75ff10000
                                          File size:13'824 bytes
                                          MD5 hash:893144FE49AA16124B5BD3034E79BBC6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:false

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:13.6%
                                            Dynamic/Decrypted Code Coverage:0%
                                            Signature Coverage:8.6%
                                            Total number of Nodes:2000
                                            Total number of Limit Nodes:51
                                            execution_graph 29501 1016610 29502 1016641 29501->29502 29505 1016661 29501->29505 29503 1016647 29502->29503 29502->29505 29511 1020126 449 API calls _MREFOpen@16 29503->29511 29506 10166bb SetFilePointerEx 29505->29506 29510 101665a 29505->29510 29507 10166dd GetLastError 29506->29507 29506->29510 29508 10166e7 _MREFOpen@16 29507->29508 29512 1020126 449 API calls _MREFOpen@16 29508->29512 29511->29510 29512->29510 29603 102521b 29604 1025305 29603->29604 29605 1025249 29603->29605 29606 1025251 29605->29606 29608 1025266 29605->29608 29614 1024f8a 29606->29614 29609 1020777 _MREFOpen@16 4 API calls 29608->29609 29611 102528f 29608->29611 29609->29611 29613 102525e _MREFOpen@16 29611->29613 29622 1024e96 29611->29622 29613->29604 29635 1020887 GetProcessHeap RtlFreeHeap GetLastError 29613->29635 29615 1024fb4 29614->29615 29616 1024fe9 29614->29616 29621 1025198 _MREFOpen@16 29615->29621 29636 1024e2e 29615->29636 29616->29615 29616->29621 29640 1021002 lstrlenW 29616->29640 29617 101854a ___crtMessageBoxW 5 API calls 29619 10251ac 29617->29619 29619->29613 29621->29617 29623 1024f01 29622->29623 29627 1024eab 29622->29627 29624 1024ee1 29623->29624 29630 1024f73 29623->29630 29629 1024ed5 _memset 29624->29629 29682 1024cc6 29624->29682 29625 1024ec9 29689 1024d32 10 API calls 29625->29689 29627->29624 29627->29625 29631 1024ec1 29627->29631 29632 1024ed7 29627->29632 29629->29613 29634 1024e2e 450 API calls 29630->29634 29631->29624 29631->29625 29690 1024dc7 10 API calls 29632->29690 29634->29629 29635->29604 29637 1024e4e 29636->29637 29641 fff7b1 29637->29641 29640->29616 29673 1022dfd 29641->29673 29644 fff7df 29676 1020126 449 API calls _MREFOpen@16 29644->29676 29645 fff816 29648 1022dfd 6 API calls 29645->29648 29650 fff826 29648->29650 29649 fff7f1 29649->29645 29672 fff82a 29649->29672 29677 1022e5c 69 API calls _memcpy_s 29649->29677 29653 fff849 29650->29653 29654 fff8e1 29650->29654 29650->29672 29651 fff935 29651->29621 29652 1022aae _MREFOpen@16 3 API calls 29652->29651 29656 fff8ae 29653->29656 29657 fff84c 29653->29657 29655 1022dfd 6 API calls 29654->29655 29664 fff86a 29655->29664 29659 1022dfd 6 API calls 29656->29659 29660 fff84f 29657->29660 29661 fff871 29657->29661 29665 fff8be 29659->29665 29660->29664 29666 fff852 29660->29666 29663 1022dfd 6 API calls 29661->29663 29662 fff7ea 29662->29651 29662->29652 29667 fff881 29663->29667 29669 ff3a9c 449 API calls 29664->29669 29664->29672 29665->29672 29680 1022e5c 69 API calls _memcpy_s 29665->29680 29678 1020126 449 API calls _MREFOpen@16 29666->29678 29667->29672 29679 1022e5c 69 API calls _memcpy_s 29667->29679 29669->29672 29672->29662 29681 1020126 449 API calls _MREFOpen@16 29672->29681 29674 1022ae3 6 API calls 29673->29674 29675 fff7db 29674->29675 29675->29644 29675->29649 29676->29662 29677->29649 29678->29662 29679->29664 29680->29664 29681->29662 29691 102491e 29682->29691 29685 1024d20 29697 10249b2 6 API calls _MREFOpen@16 29685->29697 29687 1024d29 29687->29629 29688 fff7b1 450 API calls 29688->29685 29689->29629 29690->29629 29692 102499e 29691->29692 29693 102492e 29691->29693 29692->29688 29696 102494a 29693->29696 29698 10228f3 GetProcessHeap RtlAllocateHeap 29693->29698 29695 1020777 _MREFOpen@16 4 API calls 29695->29696 29696->29692 29696->29695 29697->29687 29698->29696 28560 10012a0 28561 1001371 PostQuitMessage 28560->28561 28562 10012af 28560->28562 28571 1001368 28561->28571 28563 10012b4 28562->28563 28564 1001306 GetWindowLongW 28562->28564 28565 10012e7 SetWindowLongW 28563->28565 28566 10012bc 28563->28566 28569 1001324 28564->28569 28567 10012f4 DefWindowProcW 28565->28567 28566->28567 28568 10012bf DefWindowProcW SetWindowLongW 28566->28568 28567->28571 28568->28571 28572 ff1566 28569->28572 28575 101fb54 28572->28575 28576 101fb5f 28575->28576 28577 ff157a 28576->28577 28579 101f9c6 FormatMessageW 28576->28579 28577->28571 28580 101f9ef GetLastError 28579->28580 28581 101f9f9 28579->28581 28580->28581 28583 101fa09 _MREFOpen@16 28581->28583 28586 101f835 28581->28586 28584 101fa60 28583->28584 28585 101fa57 LocalFree 28583->28585 28584->28577 28585->28584 28587 101f9b3 28586->28587 28588 101f866 EnterCriticalSection 28586->28588 28638 101854a 28587->28638 28590 101f87a GetCurrentProcessId GetCurrentThreadId GetLocalTime 28588->28590 28591 101f94e 28588->28591 28598 101f8b4 28590->28598 28608 1020d26 28591->28608 28592 101f9c2 28592->28583 28594 101f968 28595 101f98e LeaveCriticalSection 28594->28595 28596 101f984 28594->28596 28597 101f977 28594->28597 28599 101f99e 28595->28599 28603 101f9a6 28595->28603 28635 101f79a 9 API calls _MREFOpen@16 28596->28635 28623 ff131f 28597->28623 28632 1021d32 28598->28632 28636 1020887 GetProcessHeap RtlFreeHeap GetLastError 28599->28636 28603->28587 28637 1020887 GetProcessHeap RtlFreeHeap GetLastError 28603->28637 28605 101f982 28605->28595 28609 1020d46 28608->28609 28612 1020d4c 28608->28612 28646 102293a GetProcessHeap HeapSize 28609->28646 28611 1020d6a WideCharToMultiByte 28613 1020d7d GetLastError 28611->28613 28614 1020dac 28611->28614 28612->28611 28612->28614 28621 1020d54 _MREFOpen@16 28612->28621 28613->28621 28616 1020df1 28614->28616 28617 1020de9 28614->28617 28614->28621 28622 1020def 28614->28622 28615 1020e16 WideCharToMultiByte 28618 1020e2b GetLastError 28615->28618 28615->28621 28648 10228f3 GetProcessHeap RtlAllocateHeap 28616->28648 28647 1022915 GetProcessHeap HeapReAlloc 28617->28647 28618->28621 28621->28594 28622->28615 28622->28621 28624 ff133c TlsGetValue 28623->28624 28625 ff13ac 28623->28625 28626 ff135c 28624->28626 28631 ff138e 28624->28631 28625->28605 28626->28631 28649 1022eb5 lstrlenA 28626->28649 28631->28625 28661 1022aae GetProcessHeap RtlFreeHeap 28631->28661 29473 1021a27 28632->29473 28635->28605 28636->28603 28637->28587 28639 1018552 28638->28639 28640 1018554 IsDebuggerPresent 28638->28640 28639->28592 29497 101d272 28640->29497 28643 101a601 SetUnhandledExceptionFilter UnhandledExceptionFilter 28644 101a626 GetCurrentProcess TerminateProcess 28643->28644 28645 101a61e __call_reportfault 28643->28645 28644->28592 28645->28644 28646->28612 28647->28622 28648->28622 28664 1022ae3 28649->28664 28651 1022ed7 28652 ff1371 28651->28652 28672 10188c1 62 API calls 4 library calls 28651->28672 28652->28631 28654 ff3a9c 28652->28654 28676 ff2f4a 28654->28676 28659 ff3ac1 28660 ff3aeb 28659->28660 28712 1020126 449 API calls _MREFOpen@16 28659->28712 28660->28631 28662 1022ac7 28661->28662 28663 1022acb GetLastError 28661->28663 28662->28625 28663->28662 28665 1022af6 28664->28665 28666 1022b1f 28664->28666 28673 102293a GetProcessHeap HeapSize 28665->28673 28675 10228f3 GetProcessHeap RtlAllocateHeap 28666->28675 28669 1022afc 28671 1022b0a _MREFOpen@16 28669->28671 28674 1022915 GetProcessHeap HeapReAlloc 28669->28674 28671->28651 28672->28652 28673->28669 28674->28671 28675->28671 28713 ff2eae 28676->28713 28679 ff2f75 28726 1020126 449 API calls _MREFOpen@16 28679->28726 28680 ff2f84 28682 ff2f8f WriteFile 28680->28682 28683 ff2f80 28680->28683 28684 ff2faa 28682->28684 28685 ff2fb4 GetLastError 28682->28685 28686 ff2ffe 28683->28686 28688 1022aae _MREFOpen@16 3 API calls 28683->28688 28684->28682 28687 ff2fb2 28684->28687 28689 ff2fbe _MREFOpen@16 28685->28689 28686->28659 28691 ff33b9 28686->28691 28687->28683 28688->28686 28727 1020126 449 API calls _MREFOpen@16 28689->28727 28733 ff3006 28691->28733 28695 ff3592 28696 ff35a4 28695->28696 28699 1022aae _MREFOpen@16 3 API calls 28695->28699 28696->28659 28698 ff3440 28698->28695 28806 1020887 GetProcessHeap RtlFreeHeap GetLastError 28698->28806 28699->28696 28701 ff34c8 _MREFOpen@16 28701->28698 28805 1020126 449 API calls _MREFOpen@16 28701->28805 28702 ff3432 28802 1020126 449 API calls _MREFOpen@16 28702->28802 28703 ff3469 28704 ff3565 28703->28704 28707 ff33e1 28703->28707 28804 101f79a 9 API calls _MREFOpen@16 28703->28804 28704->28701 28705 ff2f4a 449 API calls 28705->28707 28707->28701 28707->28702 28707->28703 28707->28705 28708 ff3006 449 API calls 28707->28708 28709 1022aae _MREFOpen@16 3 API calls 28707->28709 28749 1000350 28707->28749 28764 1000ef0 28707->28764 28803 1022d12 7 API calls _MREFOpen@16 28707->28803 28708->28707 28709->28707 28712->28660 28714 ff2ebe 28713->28714 28728 10228f3 GetProcessHeap RtlAllocateHeap 28714->28728 28716 ff2ecd 28717 ff2ef9 28716->28717 28718 ff2ed3 _MREFOpen@16 28716->28718 28730 10188c1 62 API calls 4 library calls 28717->28730 28729 1020126 449 API calls _MREFOpen@16 28718->28729 28720 ff2f06 28731 10188c1 62 API calls 4 library calls 28720->28731 28723 ff2f19 28725 ff2ef5 28723->28725 28732 10188c1 62 API calls 4 library calls 28723->28732 28725->28679 28725->28680 28726->28683 28727->28687 28728->28716 28729->28725 28730->28720 28731->28723 28732->28725 28734 ff3020 ReadFile 28733->28734 28735 ff303e GetLastError 28734->28735 28737 ff304b 28734->28737 28735->28737 28736 ff3073 28741 ff3136 28736->28741 28807 10228f3 GetProcessHeap RtlAllocateHeap 28736->28807 28737->28734 28737->28736 28743 ff3096 _MREFOpen@16 28737->28743 28739 ff3154 28739->28707 28740 ff308f 28742 ff30df ReadFile 28740->28742 28740->28743 28741->28739 28744 1022aae _MREFOpen@16 3 API calls 28741->28744 28745 ff313a 28742->28745 28746 ff30f5 GetLastError 28742->28746 28808 1020126 449 API calls _MREFOpen@16 28743->28808 28744->28739 28745->28741 28747 ff30ff _MREFOpen@16 28746->28747 28747->28743 28750 1000361 28749->28750 28751 10003d5 28749->28751 28752 1000364 28750->28752 28753 10003ba 28750->28753 28875 ffefcd 449 API calls _MREFOpen@16 28751->28875 28756 10003a6 28752->28756 28757 1000367 28752->28757 28835 fff06f 28753->28835 28809 1009065 28756->28809 28760 1000393 28757->28760 28761 100036c _MREFOpen@16 28757->28761 28758 100038e 28758->28707 28874 fff93c 449 API calls _MREFOpen@16 28760->28874 28873 1020126 449 API calls _MREFOpen@16 28761->28873 28765 1000f0a 28764->28765 28781 10010c2 _MREFOpen@16 28764->28781 28766 1001021 28765->28766 28767 1001005 28765->28767 28768 1000f88 28765->28768 28769 1000fc9 28765->28769 28770 10010ac 28765->28770 28771 1000f11 28765->28771 28772 1000f75 28765->28772 28773 1001056 28765->28773 28774 1001076 28765->28774 28775 1001096 28765->28775 28776 1000f3a 28765->28776 28777 1000f9b 28765->28777 28778 1000f5c 28765->28778 28779 100103d 28765->28779 28780 1000fdf 28765->28780 28765->28781 29172 1000a65 449 API calls 2 library calls 28766->29172 29123 10007c7 28767->29123 29095 ffef2b 28768->29095 29106 fff2b3 28769->29106 29176 fff93c 449 API calls _MREFOpen@16 28770->29176 29051 10003f6 28771->29051 29169 ffeec2 449 API calls _MREFOpen@16 28772->29169 29174 fff376 449 API calls 2 library calls 28773->29174 29148 fff457 28774->29148 29175 fff55d 449 API calls 2 library calls 28775->29175 28792 1000f46 ReleaseMutex CloseHandle 28776->28792 28801 1000f2b 28776->28801 29101 ff581d 28777->29101 29082 ffed90 28778->29082 29173 1000ce5 449 API calls 2 library calls 28779->29173 29171 10005a4 449 API calls 2 library calls 28780->29171 29177 1020126 449 API calls _MREFOpen@16 28781->29177 28792->28801 28799 10010e7 28801->28707 28802->28698 28803->28707 28804->28703 28805->28698 28806->28695 28807->28740 28808->28741 28810 10090a3 _memset 28809->28810 28876 10088b9 28810->28876 28812 10090cb 28815 10091b5 28812->28815 28951 10078d8 28812->28951 28817 10091c8 28815->28817 28976 1020887 GetProcessHeap RtlFreeHeap GetLastError 28815->28976 28820 10091db 28817->28820 28977 1020887 GetProcessHeap RtlFreeHeap GetLastError 28817->28977 28822 10091f0 28820->28822 28978 1020887 GetProcessHeap RtlFreeHeap GetLastError 28820->28978 28824 101854a ___crtMessageBoxW 5 API calls 28822->28824 28826 10091fa 28824->28826 28826->28758 28828 100910a FindFirstFileW 28828->28815 28829 1009128 28828->28829 28830 1009131 lstrlenW 28829->28830 28831 1009198 FindNextFileW 28829->28831 28833 10225d7 8 API calls 28829->28833 28975 10261cd 11 API calls _MREFOpen@16 28829->28975 28830->28829 28831->28829 28832 10091ae FindClose 28831->28832 28832->28815 28833->28829 28979 1022c2c 28835->28979 28837 fff0a2 28838 fff0cb 28837->28838 28863 fff0a8 _MREFOpen@16 28837->28863 29035 1010776 CompareStringW 28837->29035 28840 1022c2c 7 API calls 28838->28840 28868 fff0d1 28838->28868 28848 fff0ef 28840->28848 28841 fff227 28843 fff291 28841->28843 29048 1020887 GetProcessHeap RtlFreeHeap GetLastError 28841->29048 28847 fff29e 28843->28847 29049 1020887 GetProcessHeap RtlFreeHeap GetLastError 28843->29049 28844 fff10e 28845 1022c2c 7 API calls 28844->28845 28844->28868 28855 fff132 28845->28855 28850 fff2ab 28847->28850 29050 1020887 GetProcessHeap RtlFreeHeap GetLastError 28847->29050 28848->28844 28848->28863 29036 ff3fd4 28848->29036 28850->28758 28854 fff15b 28856 1022c2c 7 API calls 28854->28856 28854->28868 28855->28854 28855->28863 29042 ff4d26 CompareStringW 28855->29042 28858 fff17f 28856->28858 28859 1022c2c 7 API calls 28858->28859 28858->28863 28860 fff1a0 28859->28860 28861 fff22c 28860->28861 28860->28863 28864 fff1dd 28860->28864 28862 fff233 28861->28862 28861->28863 28983 1009bc9 28862->28983 29047 1020126 449 API calls _MREFOpen@16 28863->29047 28866 fff1e9 28864->28866 28867 fff208 28864->28867 29043 1009a9b 449 API calls _MREFOpen@16 28866->29043 29044 1009b0b 449 API calls _MREFOpen@16 28867->29044 28868->28841 29046 1020126 449 API calls _MREFOpen@16 28868->29046 28871 fff1f1 28871->28841 29045 1020126 449 API calls _MREFOpen@16 28871->29045 28873->28758 28874->28758 28875->28758 28877 1007988 449 API calls 28876->28877 28878 10088db 28877->28878 28879 10088e1 28878->28879 28880 10225d7 8 API calls 28878->28880 28882 1020126 _MREFOpen@16 449 API calls 28879->28882 28881 100890f 28880->28881 28883 100896e 28881->28883 28884 1008954 28881->28884 28885 1008919 28881->28885 28882->28884 28886 1020126 _MREFOpen@16 449 API calls 28883->28886 28889 10089ac 28884->28889 28891 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 28884->28891 28887 1026bb7 GetFileAttributesW 28885->28887 28886->28884 28888 1008922 28887->28888 28888->28884 28894 1007988 449 API calls 28888->28894 28890 10089bc 28889->28890 28892 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 28889->28892 28893 10089cc 28890->28893 28895 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 28890->28895 28891->28889 28892->28890 28893->28812 28905 1026cb2 28893->28905 28896 1008933 28894->28896 28895->28893 28897 1008959 28896->28897 28898 1008939 28896->28898 28899 10225d7 8 API calls 28897->28899 28898->28879 28900 1008968 28899->28900 28900->28883 28901 100897d 28900->28901 28902 1026bb7 GetFileAttributesW 28901->28902 28903 1008986 28902->28903 28903->28884 28904 100898a 28903->28904 28904->28889 28906 1026d2c _memset 28905->28906 28907 1026d3a GetFileAttributesW 28906->28907 28908 1026d59 GetLastError 28907->28908 28909 1026d64 28907->28909 28908->28909 28910 1026da0 SetFileAttributesW 28909->28910 28911 1026dd6 28909->28911 28925 1026d75 _MREFOpen@16 28909->28925 28937 1027042 _MREFOpen@16 28909->28937 28910->28911 28913 1026db5 GetLastError 28910->28913 28915 1026ff9 RemoveDirectoryW 28911->28915 28917 1026df4 GetTempPathW 28911->28917 28918 1026e2e 28911->28918 28912 10270f2 FindClose 28912->28925 28914 1026dbf 28913->28914 28914->28925 28919 102700d GetLastError 28915->28919 28915->28937 28916 1027112 28922 101854a ___crtMessageBoxW 5 API calls 28916->28922 28917->28918 28921 1026e0a GetLastError 28917->28921 28923 10225d7 8 API calls 28918->28923 28924 1027017 28919->28924 28920 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 28920->28916 28921->28925 28926 1027121 28922->28926 28927 1026e45 28923->28927 28930 102702e MoveFileExW 28924->28930 28924->28937 28925->28916 28925->28920 28926->28812 28927->28925 28928 1026e4f FindFirstFileW 28927->28928 28929 1026e6d GetLastError 28928->28929 28931 1026e77 28928->28931 28929->28931 28930->28937 28932 1026fcb FindNextFileW 28931->28932 28933 10225d7 8 API calls 28931->28933 28931->28937 28938 10223e1 6 API calls 28931->28938 28942 1026f3b 28931->28942 28946 1026cb2 16 API calls 28931->28946 28932->28931 28934 1026fe6 GetLastError 28932->28934 28933->28931 28935 1026ff7 28934->28935 28936 10270c4 GetLastError 28934->28936 28935->28915 28936->28937 28937->28912 28937->28925 28938->28931 28939 1026f44 SetFileAttributesW 28940 1026f5d DeleteFileW 28939->28940 28941 1027061 GetLastError 28939->28941 28940->28932 28940->28942 28943 102706b 28941->28943 28942->28939 28942->28940 28944 10270a3 GetLastError 28942->28944 28945 1026f79 GetTempFileNameW 28942->28945 28943->28937 28944->28943 28947 1027082 GetLastError 28945->28947 28948 1026f9b MoveFileExW 28945->28948 28946->28931 28947->28943 28949 1026fba MoveFileExW 28948->28949 28949->28932 28952 10184d0 _memset 28951->28952 28953 1007901 GetTempPathW 28952->28953 28954 1007950 28953->28954 28955 100791a GetLastError 28953->28955 28956 1021d32 _MREFOpen@16 108 API calls 28954->28956 28958 1007924 _MREFOpen@16 28955->28958 28956->28958 28957 1007977 28959 101854a ___crtMessageBoxW 5 API calls 28957->28959 28958->28957 28960 1020126 _MREFOpen@16 447 API calls 28958->28960 28961 1007986 28959->28961 28960->28957 28961->28815 28962 10225d7 28961->28962 28963 1022627 28962->28963 28965 10225e6 28962->28965 28964 1021729 _MREFOpen@16 7 API calls 28963->28964 28974 1009102 28964->28974 28965->28963 28966 102209c lstrlenW 28965->28966 28967 10225fd 28966->28967 28967->28963 28968 1022601 28967->28968 28969 1021729 _MREFOpen@16 7 API calls 28968->28969 28970 102260b 28969->28970 28971 10223e1 6 API calls 28970->28971 28970->28974 28972 1022617 28971->28972 28973 10218dd _MREFOpen@16 6 API calls 28972->28973 28972->28974 28973->28974 28974->28815 28974->28828 28975->28831 28976->28817 28977->28820 28978->28822 28981 1022c4e _MREFOpen@16 28979->28981 28980 1022c54 _MREFOpen@16 28980->28837 28981->28980 28982 1021729 _MREFOpen@16 7 API calls 28981->28982 28982->28980 28984 10091fe 449 API calls 28983->28984 28985 1009bec 28984->28985 28986 10225d7 8 API calls 28985->28986 29034 1009bf2 28985->29034 28987 1009c11 28986->28987 28989 1009c17 28987->28989 28991 100959b 449 API calls 28987->28991 28988 1020126 _MREFOpen@16 449 API calls 28990 1009c3d 28988->28990 28992 1020126 _MREFOpen@16 449 API calls 28989->28992 28994 1009d9a 28990->28994 28998 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 28990->28998 28993 1009c26 28991->28993 28992->28990 28996 1009c45 28993->28996 28997 1009c2c 28993->28997 28995 1009da7 28994->28995 28999 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 28994->28999 29000 1009db4 28995->29000 29004 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 28995->29004 29002 1009c72 28996->29002 29005 1009c56 28996->29005 29001 ff1566 449 API calls 28997->29001 28998->28994 28999->28995 29000->28868 29001->28990 29003 10092c4 449 API calls 29002->29003 29006 1009c80 29003->29006 29004->29000 29007 101fbc1 449 API calls 29005->29007 29006->28989 29008 1009c98 29006->29008 29009 1009c6a 29007->29009 29011 1025d1f 7 API calls 29008->29011 29010 10261cd 11 API calls 29009->29010 29010->29002 29012 1009ca2 29011->29012 29013 1009cc6 29012->29013 29014 1009ca6 29012->29014 29015 1025d1f 7 API calls 29013->29015 29016 1007b69 449 API calls 29014->29016 29017 1009cd0 29015->29017 29018 1009cb4 29016->29018 29017->29018 29019 1009cd4 29017->29019 29021 1007c65 449 API calls 29018->29021 29018->29034 29020 1020126 _MREFOpen@16 449 API calls 29019->29020 29020->28990 29022 1009cfc 29021->29022 29023 100959b 449 API calls 29022->29023 29022->29034 29024 1009d15 29023->29024 29025 1009d37 29024->29025 29026 1009d1b 29024->29026 29028 ff1566 449 API calls 29025->29028 29027 101fbc1 449 API calls 29026->29027 29029 1009d2d 29027->29029 29030 1009d5b 29028->29030 29031 10261cd 11 API calls 29029->29031 29033 1026174 10 API calls 29030->29033 29032 1009d35 29031->29032 29032->28990 29033->29034 29034->28988 29034->28990 29035->28838 29037 ff3fee 29036->29037 29041 ff401d 29036->29041 29038 ff3ff1 CompareStringW 29037->29038 29037->29041 29038->29037 29039 ff4056 29038->29039 29039->28844 29040 ff402a CompareStringW 29040->29039 29040->29041 29041->29039 29041->29040 29042->28854 29043->28871 29044->28871 29045->28841 29046->28841 29047->28841 29048->28843 29049->28847 29050->28850 29054 1000423 29051->29054 29052 1000429 29227 1020126 449 API calls _MREFOpen@16 29052->29227 29054->29052 29178 ffa7da EnterCriticalSection 29054->29178 29055 100059b 29055->28801 29058 1000479 29058->29052 29192 1010cb8 29058->29192 29063 10004ce 29064 10004f2 29063->29064 29212 10272bb 29063->29212 29081 10004c7 29064->29081 29215 ffa4da EnterCriticalSection 29064->29215 29068 100051e 29070 ff1566 449 API calls 29068->29070 29068->29081 29069 ff1566 449 API calls 29069->29064 29071 100052d 29070->29071 29223 102369c 29071->29223 29074 1000565 29077 100057c 29074->29077 29078 100056d 29074->29078 29075 1000555 29076 ff1566 449 API calls 29075->29076 29076->29081 29080 ff1566 449 API calls 29077->29080 29079 ff1566 449 API calls 29078->29079 29079->29081 29080->29081 29081->29055 29228 1020887 GetProcessHeap RtlFreeHeap GetLastError 29081->29228 29083 1022c2c 7 API calls 29082->29083 29084 ffedba 29083->29084 29085 1022c2c 7 API calls 29084->29085 29094 ffedc0 29084->29094 29089 ffeddc 29085->29089 29087 ffeeab 29088 ffeebb 29087->29088 29321 1020887 GetProcessHeap RtlFreeHeap GetLastError 29087->29321 29088->28801 29091 ffa7da 449 API calls 29089->29091 29089->29094 29092 ffee70 29091->29092 29092->29094 29229 ff6c39 29092->29229 29094->29087 29320 1020126 449 API calls _MREFOpen@16 29094->29320 29096 ffef55 29095->29096 29100 ffef5b 29096->29100 29322 ff7203 29096->29322 29098 ffefc4 29098->28801 29100->29098 29360 1020126 449 API calls _MREFOpen@16 29100->29360 29361 1026791 CreateFileW 29101->29361 29103 ff583a 29105 ff5858 29103->29105 29368 1020126 449 API calls _MREFOpen@16 29103->29368 29105->28801 29170 1020126 449 API calls _MREFOpen@16 29105->29170 29107 fff2da 29106->29107 29108 1022c2c 7 API calls 29107->29108 29116 fff2e0 29107->29116 29110 fff2fa 29108->29110 29111 1022c2c 7 API calls 29110->29111 29110->29116 29112 fff31a 29111->29112 29115 fff32f 29112->29115 29112->29116 29113 fff360 29114 fff36e 29113->29114 29380 1020887 GetProcessHeap RtlFreeHeap GetLastError 29113->29380 29114->28801 29369 100f51a 29115->29369 29377 1020126 449 API calls _MREFOpen@16 29116->29377 29122 fff32b 29122->29113 29379 1020887 GetProcessHeap RtlFreeHeap GetLastError 29122->29379 29124 10007ea _memset 29123->29124 29125 1022c2c 7 API calls 29124->29125 29126 100080b 29125->29126 29127 ff3fd4 2 API calls 29126->29127 29147 1000811 _MREFOpen@16 29126->29147 29129 100082a 29127->29129 29130 1000830 29129->29130 29134 1000846 29129->29134 29454 1020126 449 API calls _MREFOpen@16 29130->29454 29131 100083e 29133 1000a37 29131->29133 29458 1020887 GetProcessHeap RtlFreeHeap GetLastError 29131->29458 29459 10032d1 6 API calls _MREFOpen@16 29133->29459 29138 1022c2c 7 API calls 29134->29138 29134->29147 29137 1000a40 29137->28801 29139 1000878 29138->29139 29143 10008de 29139->29143 29139->29147 29455 10228f3 GetProcessHeap RtlAllocateHeap 29139->29455 29142 ffa7da 449 API calls 29145 10009c5 29142->29145 29144 100094e 29143->29144 29143->29147 29456 10228f3 GetProcessHeap RtlAllocateHeap 29143->29456 29144->29142 29144->29147 29145->29147 29381 100d28d 29145->29381 29147->29131 29457 1020126 449 API calls _MREFOpen@16 29147->29457 29149 fff473 _memset 29148->29149 29150 1022c2c 7 API calls 29149->29150 29151 fff490 29150->29151 29152 1022c2c 7 API calls 29151->29152 29168 fff496 29151->29168 29158 fff4b3 29152->29158 29154 fff51c 29155 fff54d 29154->29155 29471 1020887 GetProcessHeap RtlFreeHeap GetLastError 29154->29471 29472 10032d1 6 API calls _MREFOpen@16 29155->29472 29159 ff3fd4 2 API calls 29158->29159 29158->29168 29161 fff4ef 29159->29161 29160 fff556 29160->28801 29162 fff508 29161->29162 29468 ff406b CompareStringW 29161->29468 29164 fff50e 29162->29164 29165 fff521 29162->29165 29469 1020126 449 API calls _MREFOpen@16 29164->29469 29460 10102d2 29165->29460 29168->29154 29470 1020126 449 API calls _MREFOpen@16 29168->29470 29169->28801 29170->28801 29171->28801 29172->28801 29173->28801 29174->28801 29175->28801 29176->28801 29177->28799 29179 ffa811 29178->29179 29180 ffa926 LeaveCriticalSection 29179->29180 29186 ffa8d4 29179->29186 29188 1022c2c 7 API calls 29179->29188 29189 ff9dab 447 API calls 29179->29189 29190 ffa817 29179->29190 29191 10114cc GetProcessHeap RtlFreeHeap GetLastError 29179->29191 29181 ffa93d 29180->29181 29182 ffa935 29180->29182 29185 10114cc GetProcessHeap RtlFreeHeap GetLastError 29181->29185 29184 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29182->29184 29183 1020126 _MREFOpen@16 447 API calls 29183->29186 29184->29181 29187 ffa946 29185->29187 29186->29180 29187->29058 29188->29179 29189->29179 29190->29183 29191->29179 29193 10004ae 29192->29193 29197 1010cc6 29192->29197 29199 10113f4 29193->29199 29194 1010cf6 29196 1022aae _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29194->29196 29195 ff3e1c 6 API calls 29195->29197 29196->29193 29197->29194 29197->29195 29198 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29197->29198 29198->29197 29200 1023d9a RegOpenKeyExW 29199->29200 29210 1011426 29200->29210 29201 10114a2 29203 10114b5 29201->29203 29204 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29201->29204 29202 101143c 29208 1020126 _MREFOpen@16 447 API calls 29202->29208 29205 10004b6 29203->29205 29206 10114ba RegCloseKey 29203->29206 29204->29203 29205->29052 29205->29063 29206->29205 29207 1023e01 9 API calls 29207->29210 29208->29201 29209 1011466 CompareStringW 29209->29210 29210->29201 29210->29202 29210->29207 29210->29209 29211 1011334 447 API calls 29210->29211 29211->29210 29213 102726d 7 API calls 29212->29213 29214 10004e0 29213->29214 29214->29064 29214->29069 29216 ff9b95 _MREFOpen@16 447 API calls 29215->29216 29219 ffa4fa 29216->29219 29217 ffa549 LeaveCriticalSection 29217->29068 29218 ffa51c 29218->29217 29221 1020126 _MREFOpen@16 447 API calls 29218->29221 29219->29217 29219->29218 29220 1011535 _MREFOpen@16 447 API calls 29219->29220 29222 ffa509 29219->29222 29220->29218 29221->29222 29222->29217 29224 10236c6 _memset _MREFOpen@16 29223->29224 29225 101854a ___crtMessageBoxW 5 API calls 29224->29225 29226 100054f 29225->29226 29226->29074 29226->29075 29227->29081 29228->29055 29230 ff6c54 29229->29230 29231 ff1566 448 API calls 29230->29231 29232 ff6c67 29231->29232 29233 ff6ca3 29232->29233 29235 1009e25 448 API calls 29232->29235 29234 1023cda RegCreateKeyExW 29233->29234 29236 ff6cb7 29234->29236 29237 ff6c87 29235->29237 29238 ff6ccf 29236->29238 29239 ff6cbd 29236->29239 29237->29233 29240 ff6c8d 29237->29240 29243 1024111 RegSetValueExW RegDeleteValueW 29238->29243 29247 ff70de 29238->29247 29241 1020126 _MREFOpen@16 448 API calls 29239->29241 29242 1020126 _MREFOpen@16 448 API calls 29240->29242 29259 ff6c9b 29241->29259 29242->29259 29246 ff6ceb 29243->29246 29244 ff713f 29245 ff714b 29244->29245 29249 100fdd6 448 API calls 29244->29249 29251 ff689b 448 API calls 29245->29251 29257 ff708f 29245->29257 29250 ff712e 29246->29250 29256 10241f9 11 API calls 29246->29256 29247->29244 29247->29257 29258 1023c39 RegSetValueExW 29247->29258 29248 ff7187 29254 ff718d RegCloseKey 29248->29254 29255 ff7196 29248->29255 29249->29245 29252 1020126 _MREFOpen@16 448 API calls 29250->29252 29251->29257 29252->29259 29253 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29253->29248 29254->29255 29255->29094 29260 ff6d09 29256->29260 29257->29259 29262 1020126 _MREFOpen@16 448 API calls 29257->29262 29261 ff7128 29258->29261 29259->29248 29259->29253 29260->29250 29263 10241f9 11 API calls 29260->29263 29261->29244 29261->29250 29262->29259 29264 ff6d27 29263->29264 29264->29250 29265 10241f9 11 API calls 29264->29265 29266 ff6d45 29265->29266 29266->29250 29267 10241f9 11 API calls 29266->29267 29268 ff6d63 29267->29268 29268->29250 29269 10241b7 113 API calls 29268->29269 29270 ff6da2 29269->29270 29270->29250 29271 ff6dc5 29270->29271 29272 1024111 RegSetValueExW RegDeleteValueW 29270->29272 29271->29250 29273 ff6de5 29271->29273 29274 1024111 RegSetValueExW RegDeleteValueW 29271->29274 29272->29271 29273->29250 29275 10241b7 113 API calls 29273->29275 29274->29273 29276 ff6e07 29275->29276 29276->29250 29277 10241b7 113 API calls 29276->29277 29278 ff6e2a 29277->29278 29278->29250 29279 ff5b62 448 API calls 29278->29279 29280 ff6e45 29279->29280 29281 1024111 RegSetValueExW RegDeleteValueW 29280->29281 29282 ff6e5e 29281->29282 29282->29250 29283 ff6e7e 29282->29283 29284 1024111 RegSetValueExW RegDeleteValueW 29282->29284 29283->29250 29285 ff6e9e 29283->29285 29286 1024111 RegSetValueExW RegDeleteValueW 29283->29286 29284->29283 29285->29250 29287 ff6ebe 29285->29287 29288 1024111 RegSetValueExW RegDeleteValueW 29285->29288 29286->29285 29287->29250 29289 ff6ede 29287->29289 29290 1024111 RegSetValueExW RegDeleteValueW 29287->29290 29288->29287 29289->29250 29291 1024111 RegSetValueExW RegDeleteValueW 29289->29291 29292 ff6efe 29289->29292 29290->29289 29291->29292 29292->29250 29293 1024111 RegSetValueExW RegDeleteValueW 29292->29293 29294 ff6f1e 29292->29294 29293->29294 29294->29250 29295 ff6f59 29294->29295 29296 1024111 RegSetValueExW RegDeleteValueW 29294->29296 29295->29250 29297 ff6f7c 29295->29297 29298 1024111 RegSetValueExW RegDeleteValueW 29295->29298 29300 ff6f3e 29296->29300 29297->29250 29299 ff6f9f 29297->29299 29301 1024111 RegSetValueExW RegDeleteValueW 29297->29301 29298->29297 29299->29250 29302 ff7099 29299->29302 29303 ff6fb8 29299->29303 29300->29250 29307 1024111 RegSetValueExW RegDeleteValueW 29300->29307 29301->29299 29304 ff6fc8 29302->29304 29305 ff70a2 29302->29305 29306 1023c39 RegSetValueExW 29303->29306 29304->29250 29309 ff6fef 29304->29309 29310 1023c39 RegSetValueExW 29304->29310 29308 10241b7 113 API calls 29305->29308 29306->29304 29307->29295 29315 ff7089 29308->29315 29309->29250 29311 ff700f 29309->29311 29312 1023c39 RegSetValueExW 29309->29312 29310->29309 29311->29250 29313 10241b7 113 API calls 29311->29313 29312->29311 29314 ff702f 29313->29314 29314->29250 29317 10241b7 113 API calls 29314->29317 29315->29247 29315->29250 29315->29257 29316 ff6aad 448 API calls 29315->29316 29316->29247 29318 ff7066 29317->29318 29318->29250 29318->29315 29319 ff5ec7 448 API calls 29318->29319 29319->29315 29320->29087 29321->29088 29323 ff7222 29322->29323 29324 ff1566 447 API calls 29323->29324 29325 ff7244 29324->29325 29326 ff728c 29325->29326 29327 1021d32 _MREFOpen@16 108 API calls 29325->29327 29328 ff735b 29326->29328 29329 ff7297 29326->29329 29331 ff7262 29327->29331 29330 1023d9a RegOpenKeyExW 29328->29330 29332 ff72a9 29329->29332 29333 100fe53 447 API calls 29329->29333 29334 ff72fd 29330->29334 29335 ff727d 29331->29335 29338 1023d2a RegCreateKeyExW 29331->29338 29336 ff72b8 29332->29336 29337 ff72b1 29332->29337 29333->29332 29340 ff689b 447 API calls 29334->29340 29343 ff7312 29334->29343 29335->29326 29339 1020126 _MREFOpen@16 447 API calls 29335->29339 29342 ff5fec 447 API calls 29336->29342 29341 ff60d5 447 API calls 29337->29341 29338->29335 29339->29326 29340->29343 29341->29336 29345 ff72c5 29342->29345 29344 1020126 _MREFOpen@16 447 API calls 29343->29344 29346 ff7323 29343->29346 29344->29346 29347 1023f7c 17 API calls 29345->29347 29348 ff7338 29346->29348 29349 ff7330 RegCloseKey 29346->29349 29350 ff72d2 29347->29350 29351 ff733d RegCloseKey 29348->29351 29355 ff7345 29348->29355 29349->29348 29352 ff72f3 29350->29352 29354 ff72e0 29350->29354 29351->29355 29353 1009dbd 447 API calls 29352->29353 29353->29334 29357 1020126 _MREFOpen@16 447 API calls 29354->29357 29356 ff7352 29355->29356 29358 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29355->29358 29356->29100 29359 ff72ee 29357->29359 29358->29356 29359->29346 29360->29098 29362 10267b6 GetLastError 29361->29362 29363 10267e7 29361->29363 29366 10267c0 _MREFOpen@16 29362->29366 29364 1025d92 WriteFile GetLastError 29363->29364 29365 10267f3 29364->29365 29365->29366 29367 102680a CloseHandle 29365->29367 29366->29103 29367->29366 29368->29105 29370 100f527 29369->29370 29371 100f569 29369->29371 29373 1028625 23 API calls 29370->29373 29375 100f52a _MREFOpen@16 29370->29375 29372 1028c8c 119 API calls 29371->29372 29372->29375 29373->29375 29374 fff33b 29374->29122 29378 1020126 449 API calls _MREFOpen@16 29374->29378 29375->29374 29376 1020126 _MREFOpen@16 449 API calls 29375->29376 29376->29374 29377->29122 29378->29122 29379->29113 29380->29114 29382 100d2f0 _memset 29381->29382 29383 100d3b4 29382->29383 29384 100d357 29382->29384 29385 100d327 29382->29385 29388 10088b9 449 API calls 29383->29388 29399 100d424 29383->29399 29384->29383 29389 1024a70 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapReAlloc 29384->29389 29386 1024a70 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapReAlloc 29385->29386 29387 100d34f 29386->29387 29387->29383 29398 100d353 29387->29398 29390 100d3e9 29388->29390 29389->29387 29391 100d407 29390->29391 29392 100d3ef 29390->29392 29395 10225d7 8 API calls 29391->29395 29394 1020126 _MREFOpen@16 449 API calls 29392->29394 29393 100d4a5 29397 100cba8 449 API calls 29393->29397 29403 100d3aa 29394->29403 29395->29399 29396 1020126 _MREFOpen@16 449 API calls 29396->29403 29400 100d4cd 29397->29400 29401 ff1566 449 API calls 29398->29401 29399->29393 29404 100d48a 29399->29404 29453 100d42a 29399->29453 29402 100cba8 449 API calls 29400->29402 29400->29453 29401->29403 29405 100d506 29402->29405 29406 100d87d 29403->29406 29408 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29403->29408 29407 1020126 _MREFOpen@16 449 API calls 29404->29407 29410 100b8b7 449 API calls 29405->29410 29405->29453 29409 100d890 29406->29409 29411 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29406->29411 29407->29403 29408->29406 29412 100d8a3 29409->29412 29413 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29409->29413 29416 100d528 29410->29416 29411->29409 29414 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29412->29414 29415 100d8b6 29412->29415 29413->29412 29414->29415 29417 1020887 _MREFOpen@16 GetProcessHeap RtlFreeHeap GetLastError 29415->29417 29420 100d8c9 29415->29420 29418 100b8b7 449 API calls 29416->29418 29416->29453 29417->29420 29419 100d54a 29418->29419 29422 100bc01 449 API calls 29419->29422 29419->29453 29421 101854a ___crtMessageBoxW 5 API calls 29420->29421 29423 100d90c 29421->29423 29424 100d56c 29422->29424 29423->29147 29425 100bc01 449 API calls 29424->29425 29424->29453 29426 100d58e 29425->29426 29427 ff1566 449 API calls 29426->29427 29426->29453 29428 100d5da 29427->29428 29429 100d7c7 29428->29429 29430 100d5e9 29428->29430 29431 10218dd _MREFOpen@16 6 API calls 29429->29431 29432 100d604 29430->29432 29435 100d5f3 29430->29435 29436 100d766 29430->29436 29433 100d7d9 29431->29433 29432->29403 29434 10218dd _MREFOpen@16 6 API calls 29432->29434 29432->29453 29439 1021d32 _MREFOpen@16 108 API calls 29433->29439 29433->29453 29450 100d61d 29434->29450 29438 100d601 29435->29438 29442 100d6ac 29435->29442 29437 10218dd _MREFOpen@16 6 API calls 29436->29437 29437->29432 29438->29432 29440 100d631 29438->29440 29447 100d802 29439->29447 29441 100d64e 29440->29441 29443 10218dd _MREFOpen@16 6 API calls 29440->29443 29444 10218dd _MREFOpen@16 6 API calls 29441->29444 29441->29453 29448 1021d32 _MREFOpen@16 108 API calls 29442->29448 29443->29441 29444->29450 29445 100d7b4 29446 100ccbc 449 API calls 29445->29446 29446->29403 29451 ff1566 449 API calls 29447->29451 29447->29453 29449 100d6f8 29448->29449 29452 1021d32 _MREFOpen@16 108 API calls 29449->29452 29449->29453 29450->29445 29450->29453 29451->29453 29452->29453 29453->29396 29453->29403 29454->29131 29455->29143 29456->29144 29457->29131 29458->29133 29459->29137 29461 1010307 29460->29461 29462 10102e7 29460->29462 29464 1010303 29461->29464 29466 10101cc 449 API calls 29461->29466 29463 10100df 449 API calls 29462->29463 29465 10102f2 29463->29465 29464->29168 29465->29464 29467 1020126 _MREFOpen@16 449 API calls 29465->29467 29466->29464 29467->29464 29468->29162 29469->29154 29470->29154 29471->29155 29472->29160 29474 1021a63 29473->29474 29475 1021a40 29473->29475 29487 1020777 29474->29487 29486 102293a GetProcessHeap HeapSize 29475->29486 29478 1021a46 29479 101f943 29478->29479 29480 1021a54 lstrlenW 29478->29480 29479->28591 29479->28595 29480->29474 29484 1021a71 29480->29484 29482 1021abd 29482->29479 29485 1022aae _MREFOpen@16 3 API calls 29482->29485 29483 1020777 _MREFOpen@16 4 API calls 29483->29484 29484->29479 29484->29482 29484->29483 29494 102169c 98 API calls _vswprintf_s 29484->29494 29485->29479 29486->29478 29488 1020787 _MREFOpen@16 29487->29488 29489 102078e 29487->29489 29488->29484 29490 10207a4 29489->29490 29491 102079a 29489->29491 29496 10228f3 GetProcessHeap RtlAllocateHeap 29490->29496 29495 1022915 GetProcessHeap HeapReAlloc 29491->29495 29494->29484 29495->29488 29496->29488 29497->28643 29513 1015fa2 29516 10228f3 GetProcessHeap RtlAllocateHeap 29513->29516 29515 1015faf 29516->29515 29498 1015fb1 29499 1022aae _MREFOpen@16 3 API calls 29498->29499 29500 1015fbc 29499->29500 29517 1016334 29518 1016370 29517->29518 29519 1016355 29517->29519 29520 1016365 29519->29520 29521 1016358 29519->29521 29526 1015b46 SetEvent 29520->29526 29521->29518 29523 101635b 29521->29523 29561 1015ef1 453 API calls _MREFOpen@16 29523->29561 29525 1016363 29525->29518 29527 1015b62 GetLastError 29526->29527 29528 1015b9b WaitForSingleObject 29526->29528 29533 1015b6c _MREFOpen@16 29527->29533 29529 1015be4 ResetEvent 29528->29529 29530 1015bab GetLastError 29528->29530 29531 1015bf1 GetLastError 29529->29531 29532 1015c2a 29529->29532 29530->29533 29531->29533 29532->29533 29562 1020e73 29532->29562 29558 1015c54 29533->29558 29579 1020126 449 API calls _MREFOpen@16 29533->29579 29535 1015c70 29536 1015c76 29535->29536 29537 1015c8c SetEvent 29535->29537 29578 1020126 449 API calls _MREFOpen@16 29536->29578 29540 1015cc3 WaitForSingleObject 29537->29540 29541 1015c99 GetLastError 29537->29541 29542 1015cd3 GetLastError 29540->29542 29543 1015cfd ResetEvent 29540->29543 29544 1015ca3 29541->29544 29545 1015cdd 29542->29545 29546 1015d0a GetLastError 29543->29546 29547 1015d14 29543->29547 29544->29540 29545->29543 29546->29547 29548 1015d9e CreateFileW 29547->29548 29551 1015d3b 29547->29551 29549 1015dc3 GetLastError 29548->29549 29550 1015dff SetFilePointerEx 29548->29550 29559 1015dcd _MREFOpen@16 29549->29559 29552 1015e15 GetLastError 29550->29552 29553 1015e4e SetEndOfFile 29550->29553 29551->29558 29577 10228f3 GetProcessHeap RtlAllocateHeap 29551->29577 29560 1015e1f _MREFOpen@16 29552->29560 29555 1015e91 SetFilePointerEx 29553->29555 29556 1015e5b GetLastError 29553->29556 29557 1015ea2 GetLastError 29555->29557 29555->29558 29556->29560 29557->29560 29558->29518 29559->29550 29560->29533 29561->29525 29563 1020e95 29562->29563 29564 1020e8f 29562->29564 29565 1020eb4 MultiByteToWideChar 29563->29565 29569 1020ef6 29563->29569 29574 1020e9c _MREFOpen@16 29563->29574 29580 102293a GetProcessHeap HeapSize 29564->29580 29567 1020ec7 GetLastError 29565->29567 29565->29569 29567->29574 29568 1020f61 MultiByteToWideChar 29570 1020f73 GetLastError 29568->29570 29568->29574 29571 1020f38 29569->29571 29572 1020f2c 29569->29572 29569->29574 29576 1020f36 29569->29576 29570->29574 29582 10228f3 GetProcessHeap RtlAllocateHeap 29571->29582 29581 1022915 GetProcessHeap HeapReAlloc 29572->29581 29574->29535 29576->29568 29576->29574 29577->29533 29578->29558 29579->29558 29580->29563 29581->29576 29582->29576 29599 1016749 29600 101676c 29599->29600 29601 1016781 CloseHandle 29600->29601 29602 101678a 29600->29602 29601->29602 29715 101834d 29753 101a1e0 29715->29753 29717 1018359 GetStartupInfoW 29718 101836d HeapSetInformation 29717->29718 29721 1018378 29717->29721 29718->29721 29720 10183c6 29722 10183d1 29720->29722 29832 1018324 62 API calls 3 library calls 29720->29832 29754 101a1b6 HeapCreate 29721->29754 29755 101a03b GetModuleHandleW 29722->29755 29725 10183d7 29726 10183e2 __RTC_Initialize 29725->29726 29833 1018324 62 API calls 3 library calls 29725->29833 29780 1019ab1 GetStartupInfoW 29726->29780 29730 10183fc GetCommandLineW 29793 1019a59 GetEnvironmentStringsW 29730->29793 29734 101840c 29800 10199ab GetModuleFileNameW 29734->29800 29737 1018421 29806 1019779 29737->29806 29740 1018427 29741 1018432 29740->29741 29836 10193bd 62 API calls 3 library calls 29740->29836 29820 101919c 29741->29820 29744 101843a 29746 1018445 __wwincmdln 29744->29746 29837 10193bd 62 API calls 3 library calls 29744->29837 29826 ff1000 HeapSetInformation 29746->29826 29753->29717 29754->29720 29756 101a058 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 29755->29756 29757 101a04f 29755->29757 29758 101a0a2 TlsAlloc 29756->29758 29839 1019d88 65 API calls _free 29757->29839 29762 101a1b1 29758->29762 29763 101a0f0 TlsSetValue 29758->29763 29760 101a054 29760->29725 29762->29725 29763->29762 29764 101a101 29763->29764 29840 1019145 EncodePointer EncodePointer __init_pointers _raise __initp_misc_winsig 29764->29840 29766 101a106 EncodePointer EncodePointer EncodePointer EncodePointer 29841 101bcd1 InitializeCriticalSectionAndSpinCount 29766->29841 29768 101a145 29769 101a149 DecodePointer 29768->29769 29770 101a1ac 29768->29770 29772 101a15e 29769->29772 29849 1019d88 65 API calls _free 29770->29849 29772->29770 29842 101c65b 29772->29842 29775 101a17c DecodePointer 29776 101a18d 29775->29776 29776->29770 29777 101a191 29776->29777 29848 1019dc5 62 API calls 4 library calls 29777->29848 29779 101a199 GetCurrentThreadId 29779->29762 29781 101c65b __calloc_crt 62 API calls 29780->29781 29787 1019acf 29781->29787 29782 1019c7a GetStdHandle 29788 1019c44 29782->29788 29783 1019cde SetHandleCount 29792 10183f0 29783->29792 29784 101c65b __calloc_crt 62 API calls 29784->29787 29785 1019c8c GetFileType 29785->29788 29786 1019bc4 29786->29788 29789 1019bf0 GetFileType 29786->29789 29790 1019bfb InitializeCriticalSectionAndSpinCount 29786->29790 29787->29784 29787->29786 29787->29788 29787->29792 29788->29782 29788->29783 29788->29785 29791 1019cb2 InitializeCriticalSectionAndSpinCount 29788->29791 29789->29786 29789->29790 29790->29786 29790->29792 29791->29788 29791->29792 29792->29730 29834 10193bd 62 API calls 3 library calls 29792->29834 29794 1019a6a 29793->29794 29795 1019a6e 29793->29795 29794->29734 29859 101c616 62 API calls _malloc 29795->29859 29798 1019a97 FreeEnvironmentStringsW 29798->29734 29799 1019a90 _memmove 29799->29798 29801 10199e0 _wparse_cmdline 29800->29801 29802 1018416 29801->29802 29803 1019a1d 29801->29803 29802->29737 29835 10193bd 62 API calls 3 library calls 29802->29835 29860 101c616 62 API calls _malloc 29803->29860 29805 1019a23 _wparse_cmdline 29805->29802 29807 1019791 _wcslen 29806->29807 29811 1019789 29806->29811 29808 101c65b __calloc_crt 62 API calls 29807->29808 29814 10197b5 _wcslen 29808->29814 29809 101980b 29862 101b8e8 62 API calls __dosmaperr 29809->29862 29811->29740 29812 101c65b __calloc_crt 62 API calls 29812->29814 29813 1019831 29863 101b8e8 62 API calls __dosmaperr 29813->29863 29814->29809 29814->29811 29814->29812 29814->29813 29817 1019848 29814->29817 29861 101c574 62 API calls 2 library calls 29814->29861 29864 101a875 10 API calls __call_reportfault 29817->29864 29819 1019854 29819->29740 29821 10191aa __IsNonwritableInCurrentImage 29820->29821 29865 101c0a3 29821->29865 29823 10191c8 __initterm_e 29825 10191e9 __IsNonwritableInCurrentImage 29823->29825 29868 101bb59 72 API calls __cinit 29823->29868 29825->29744 29869 ff1b46 29826->29869 29832->29722 29833->29726 29839->29760 29840->29766 29841->29768 29845 101c664 29842->29845 29844 101a174 29844->29770 29844->29775 29845->29844 29846 101c682 Sleep 29845->29846 29850 101e193 29845->29850 29847 101c697 29846->29847 29847->29844 29847->29845 29848->29779 29849->29762 29851 101e1ba _malloc 29850->29851 29852 101e19f 29850->29852 29855 101e1cd HeapAlloc 29851->29855 29857 101e1f4 29851->29857 29852->29851 29853 101e1ab 29852->29853 29858 101a919 62 API calls __getptd_noexit 29853->29858 29855->29851 29855->29857 29856 101e1b0 29856->29845 29857->29845 29858->29856 29859->29799 29860->29805 29861->29814 29862->29811 29863->29811 29864->29819 29866 101c0a9 EncodePointer 29865->29866 29866->29866 29867 101c0c3 29866->29867 29867->29823 29868->29825 29870 ff1baa _memset 29869->29870 29934 ff1033 InitializeCriticalSection InitializeCriticalSection 29870->29934 29875 ff1bfd 29876 ff1c02 CoInitializeEx 29875->29876 29878 ff1c1a GetModuleHandleW 29876->29878 29927 ff1be2 _MREFOpen@16 29876->29927 29877 ff1e4f 29881 ff1e73 29877->29881 29882 ff1e5b 29877->29882 29949 101f6f4 InitializeCriticalSection 29878->29949 30055 ffb7bb 29881->30055 30135 101ff4b 471 API calls _MREFOpen@16 29882->30135 29884 ff1c30 29950 102376a 29884->29950 29898 ff1e8f 29908 ff1566 449 API calls 29898->29908 29913 ff1ec0 29898->29913 29900 ff1c89 GetVersionExW 29903 ff1caa GetLastError 29900->29903 29904 ff1ce0 29900->29904 29903->29927 29981 102202c 29904->29981 29908->29913 30084 ff10dc 29913->30084 29914 ff1566 449 API calls 29915 ff1d2d 29914->29915 29916 ff1d43 29915->29916 30129 1020887 GetProcessHeap RtlFreeHeap GetLastError 29915->30129 29989 ffd76d 29916->29989 29920 ff1df7 30133 ff18b9 810 API calls _MREFOpen@16 29920->30133 29921 ff1d71 29922 ff1dd8 29921->29922 29923 ff1d74 29921->29923 30028 ff157c 29922->30028 29926 ff1db0 29923->29926 29928 ff1d7a 29923->29928 30132 ff1af3 827 API calls _MREFOpen@16 29926->30132 29929 ff1d8d 29927->29929 30130 1020126 449 API calls _MREFOpen@16 29927->30130 29928->29927 29931 ff1d94 29928->29931 29929->29877 30134 1020887 GetProcessHeap RtlFreeHeap GetLastError 29929->30134 30131 ff1226 457 API calls _MREFOpen@16 29931->30131 29933 ff1da3 29933->29927 29933->29929 29935 ff106e 29934->29935 29936 ff107a GetCurrentProcess 29935->29936 30139 10204b3 OpenProcessToken 29936->30139 29939 ff10a7 29942 ff10ab 29939->29942 30146 ff20a7 29939->30146 29943 ff10d4 29942->29943 30212 1020126 449 API calls _MREFOpen@16 29942->30212 29943->29927 29945 10200ba 29943->29945 29946 102011c 29945->29946 29947 10200cc 29945->29947 29946->29875 29947->29946 30222 101fd42 29947->30222 29949->29884 30242 102303c 29950->30242 29953 1023780 GetProcAddress 29955 102379f 29953->29955 29954 ff1c3b 29954->29927 29956 1024328 29954->29956 29955->29954 29957 102303c 8 API calls 29956->29957 29958 1024339 29957->29958 29959 ff1c5a 29958->29959 29960 1024345 GetProcAddress 29958->29960 29959->29927 29974 10253d2 29959->29974 29961 1024366 29960->29961 29962 102436b GetProcAddress 29960->29962 29961->29962 29963 1024385 29962->29963 29964 102438a GetProcAddress 29962->29964 29963->29964 29965 10243a4 29964->29965 29966 10243a9 GetProcAddress 29964->29966 29965->29966 29967 10243c3 29966->29967 29968 10243c8 GetProcAddress 29966->29968 29967->29968 29969 10243e2 29968->29969 29970 10243e7 GetProcAddress 29968->29970 29969->29970 29971 1024401 29970->29971 29972 1024406 GetProcAddress 29970->29972 29971->29972 29973 1024421 29972->29973 29973->29959 29975 10253f8 InterlockedIncrement 29974->29975 29976 10253df CoInitialize 29974->29976 29977 1025408 CLSIDFromProgID 29975->29977 29980 ff1c79 29975->29980 29976->29975 29978 10253ee 29976->29978 29979 102541f CLSIDFromProgID 29977->29979 29977->29980 29978->29975 29978->29980 29979->29980 29980->29900 29980->29927 29982 102203a 29981->29982 29983 1020777 _MREFOpen@16 4 API calls 29982->29983 29984 ff1ced 29982->29984 29985 1022047 GetModuleFileNameW 29982->29985 29983->29982 29984->29914 29986 1022057 29985->29986 29987 1022064 GetLastError 29985->29987 29986->29982 29988 1022060 _MREFOpen@16 29986->29988 29987->29988 29988->29984 29990 ffd78d _memset 29989->29990 30253 ffc7f3 29990->30253 29992 ffd801 29993 ffd807 29992->29993 30327 ffae5f InitializeCriticalSection 29992->30327 30416 1020126 449 API calls _MREFOpen@16 29993->30416 29997 ffd85e 30402 1010723 29997->30402 30000 ffd984 30002 ffd993 30000->30002 30417 1020887 GetProcessHeap RtlFreeHeap GetLastError 30000->30417 30006 ffd9a0 30002->30006 30418 1020887 GetProcessHeap RtlFreeHeap GetLastError 30002->30418 30003 ffd866 30338 1010c17 30003->30338 30004 ffd852 30411 1020126 449 API calls _MREFOpen@16 30004->30411 30010 ff1d56 30006->30010 30012 1022aae _MREFOpen@16 3 API calls 30006->30012 30010->29920 30010->29921 30010->29927 30012->30010 30019 ffd8f9 30019->29993 30019->29997 30413 ffb75c 454 API calls _MREFOpen@16 30019->30413 30022 ffd927 30022->29993 30414 ff51c5 458 API calls _MREFOpen@16 30022->30414 30024 ffd948 30024->29993 30025 ffd955 30024->30025 30415 ff3d1b 451 API calls _MREFOpen@16 30025->30415 30027 ffd968 30027->29993 30027->29997 30029 ff1594 30028->30029 30030 ff15d0 30028->30030 30931 ff28e3 UuidCreate 30029->30931 30044 ff15ad _MREFOpen@16 30030->30044 30967 ff38be 30030->30967 30035 ff15fe TlsAlloc 30036 ff160f GetLastError 30035->30036 30037 ff1648 TlsSetValue 30035->30037 30036->30044 30040 ff1659 GetLastError 30037->30040 30041 ff1692 30037->30041 30040->30044 30995 1001534 CreateEventW 30041->30995 30045 ff1728 30044->30045 31039 1020126 449 API calls _MREFOpen@16 30044->31039 31031 100125f IsWindow 30045->31031 30048 ff16af 31017 100113c CreateThread 30048->31017 30050 ff1743 30052 ff175a 30050->30052 30053 ff1748 ReleaseMutex CloseHandle 30050->30053 30052->29927 30053->30052 30056 ffb7ca 30055->30056 30057 ff1e7f 30055->30057 30058 1026cb2 39 API calls 30056->30058 30059 1008e05 30057->30059 30058->30057 30060 1008e1d 30059->30060 30061 ff1e8a 30059->30061 30060->30061 30062 10078d8 449 API calls 30060->30062 30076 10078aa 30061->30076 30063 1008e2b 30062->30063 30064 1008e32 30063->30064 30065 10225d7 8 API calls 30063->30065 31165 1020126 449 API calls _MREFOpen@16 30064->31165 30066 1008e4a 30065->30066 30066->30064 30068 1008e5f 30066->30068 30070 1026cb2 39 API calls 30068->30070 30069 1008e5b 30071 1008e82 30069->30071 31166 1020887 GetProcessHeap RtlFreeHeap GetLastError 30069->31166 30072 1008e69 30070->30072 30071->30061 31167 1020887 GetProcessHeap RtlFreeHeap GetLastError 30071->31167 30074 1026cb2 39 API calls 30072->30074 30074->30069 30077 10078b3 30076->30077 30078 10078b9 30076->30078 31168 1020887 GetProcessHeap RtlFreeHeap GetLastError 30077->31168 30080 10078c8 30078->30080 31169 1020887 GetProcessHeap RtlFreeHeap GetLastError 30078->31169 30082 10078d7 30080->30082 31170 1020887 GetProcessHeap RtlFreeHeap GetLastError 30080->31170 30082->29898 30085 ff10ec 30084->30085 30086 ff10e6 30084->30086 31171 ff287a 30085->31171 31324 1020887 GetProcessHeap RtlFreeHeap GetLastError 30086->31324 30090 ff287a 6 API calls 30091 ff1104 30090->30091 30092 ff1114 30091->30092 31325 1020887 GetProcessHeap RtlFreeHeap GetLastError 30091->31325 30094 ff111f CloseHandle 30092->30094 30095 ff112d DeleteCriticalSection 30092->30095 30094->30095 31182 ffb72d 30095->31182 30097 ff1148 31188 ffb6fb 30097->31188 30099 ff1154 31193 ff8bc7 DeleteCriticalSection 30099->31193 30129->29916 30130->29929 30131->29933 30132->29927 30133->29933 30134->29877 30135->29881 30140 1020503 GetTokenInformation 30139->30140 30141 10204df GetLastError 30139->30141 30142 102052b GetLastError 30140->30142 30145 10204e9 _MREFOpen@16 30140->30145 30141->30145 30142->30145 30143 ff108a 30143->29939 30211 102044d 25 API calls 2 library calls 30143->30211 30144 1020568 CloseHandle 30144->30143 30145->30143 30145->30144 30147 ff20f0 _memset 30146->30147 30148 102202c 6 API calls 30147->30148 30149 ff213e 30148->30149 30150 ff2156 CreateFileW 30149->30150 30161 ff2144 _MREFOpen@16 30149->30161 30151 ff217b GetLastError 30150->30151 30152 ff21c0 SetFilePointerEx 30150->30152 30158 ff2185 _MREFOpen@16 30151->30158 30153 ff21dd GetLastError 30152->30153 30154 ff2213 ReadFile 30152->30154 30153->30161 30157 ff2230 GetLastError 30154->30157 30165 ff223a _MREFOpen@16 30154->30165 30156 ff214f 30159 ff25f2 30156->30159 30217 1020887 GetProcessHeap RtlFreeHeap GetLastError 30156->30217 30157->30165 30215 1020126 449 API calls _MREFOpen@16 30158->30215 30164 101854a ___crtMessageBoxW 5 API calls 30159->30164 30160 ff2296 SetFilePointerEx 30166 ff22de ReadFile 30160->30166 30167 ff22a8 GetLastError 30160->30167 30214 1020126 449 API calls _MREFOpen@16 30161->30214 30169 ff2601 30164->30169 30165->30160 30168 ff22f8 GetLastError 30166->30168 30171 ff2302 _MREFOpen@16 30166->30171 30172 ff22b2 _MREFOpen@16 30167->30172 30168->30171 30169->29942 30170 ff235f SetFilePointerEx 30173 ff23ba ReadFile 30170->30173 30174 ff2384 GetLastError 30170->30174 30171->30170 30172->30166 30175 ff240a ReadFile 30173->30175 30176 ff23d4 GetLastError 30173->30176 30181 ff238e _MREFOpen@16 30174->30181 30177 ff245d SetFilePointerEx 30175->30177 30178 ff2424 GetLastError 30175->30178 30182 ff23de _MREFOpen@16 30176->30182 30179 ff2479 GetLastError 30177->30179 30180 ff24b2 ReadFile 30177->30180 30184 ff242e _MREFOpen@16 30178->30184 30185 ff2483 _MREFOpen@16 30179->30185 30183 ff2548 GetLastError 30180->30183 30186 ff24d3 30180->30186 30181->30173 30182->30175 30189 ff2552 _MREFOpen@16 30183->30189 30184->30177 30185->30180 30187 ff2605 _MREFOpen@16 30186->30187 30188 ff251e ReadFile 30186->30188 30186->30189 30213 10228f3 GetProcessHeap RtlAllocateHeap 30187->30213 30188->30183 30188->30186 30216 1020126 449 API calls _MREFOpen@16 30189->30216 30192 ff2667 SetFilePointerEx 30193 ff267f GetLastError 30192->30193 30194 ff26be ReadFile 30192->30194 30200 ff2689 _MREFOpen@16 30193->30200 30195 ff271e 30194->30195 30196 ff26e8 GetLastError 30194->30196 30201 ff2779 30195->30201 30202 ff2751 _MREFOpen@16 30195->30202 30205 ff26f2 _MREFOpen@16 30195->30205 30196->30205 30197 ff2640 _MREFOpen@16 30197->30192 30198 ff25cc 30198->30156 30199 1022aae _MREFOpen@16 3 API calls 30198->30199 30199->30156 30218 1020126 449 API calls _MREFOpen@16 30200->30218 30220 1025cb9 GetFileSizeEx GetLastError _MREFOpen@16 30201->30220 30219 1020126 449 API calls _MREFOpen@16 30202->30219 30204 ff2787 30204->30205 30208 ff2797 30204->30208 30205->30200 30221 10228f3 GetProcessHeap RtlAllocateHeap 30208->30221 30210 ff2774 _MREFOpen@16 _memmove 30210->29942 30211->29939 30212->29943 30213->30197 30214->30156 30215->30156 30216->30198 30217->30159 30218->30198 30219->30210 30220->30204 30221->30210 30225 101fb2a 30222->30225 30226 101fb35 30225->30226 30227 101fb3d 30226->30227 30229 101fa67 30226->30229 30227->29946 30230 1020e73 _MREFOpen@16 10 API calls 30229->30230 30231 101fa84 30230->30231 30232 1021a27 _MREFOpen@16 108 API calls 30231->30232 30239 101faaf 30231->30239 30236 101fa99 30232->30236 30234 101fabe 30235 101facb 30234->30235 30241 1020887 GetProcessHeap RtlFreeHeap GetLastError 30234->30241 30235->30227 30238 101f835 _MREFOpen@16 449 API calls 30236->30238 30236->30239 30238->30239 30239->30234 30240 1020887 GetProcessHeap RtlFreeHeap GetLastError 30239->30240 30240->30234 30241->30235 30251 10184d0 30242->30251 30245 10230d2 GetLastError 30246 10230dc 30245->30246 30248 101854a ___crtMessageBoxW 5 API calls 30246->30248 30247 1023082 30247->30246 30249 10230bf LoadLibraryW 30247->30249 30250 1023100 30248->30250 30249->30245 30249->30246 30250->29953 30250->29954 30252 10184dc GetSystemDirectoryW 30251->30252 30252->30245 30252->30247 30254 ffc813 30253->30254 30304 ffc8af 30253->30304 30254->30304 30419 10218dd 30254->30419 30256 ffc8e4 CompareStringW 30258 ffc8ff CompareStringW 30256->30258 30256->30304 30257 ffc82b 30261 10218dd _MREFOpen@16 6 API calls 30257->30261 30278 ffc832 _MREFOpen@16 30257->30278 30262 ffc91b CompareStringW 30258->30262 30258->30304 30259 ffd0f0 30268 ffd219 LocalFree 30259->30268 30269 ffc83d 30259->30269 30263 ffc84f 30261->30263 30264 ffc937 CompareStringW 30262->30264 30262->30304 30266 ffc85d CommandLineToArgvW 30263->30266 30263->30278 30267 ffc953 CompareStringW 30264->30267 30264->30304 30270 ffc871 GetLastError 30266->30270 30266->30304 30271 ffc96f CompareStringW 30267->30271 30267->30304 30268->30269 30272 ffd232 30269->30272 30462 1020887 GetProcessHeap RtlFreeHeap GetLastError 30269->30462 30270->30278 30273 ffc98b CompareStringW 30271->30273 30271->30304 30272->29992 30275 ffc9a7 CompareStringW 30273->30275 30273->30304 30277 ffc9c3 CompareStringW 30275->30277 30275->30304 30279 ffc9df CompareStringW 30277->30279 30277->30304 30425 1020126 449 API calls _MREFOpen@16 30278->30425 30280 ffca17 CompareStringW 30279->30280 30279->30304 30281 ffca3e CompareStringW 30280->30281 30280->30304 30282 ffca65 CompareStringW 30281->30282 30281->30304 30283 ffca88 CompareStringW 30282->30283 30282->30304 30284 ffcafb CompareStringW 30283->30284 30283->30304 30285 ffcb2a CompareStringW 30284->30285 30284->30304 30286 ffcb59 CompareStringW 30285->30286 30285->30304 30287 ffcb88 CompareStringW 30286->30287 30286->30304 30288 ffcba4 CompareStringW 30287->30288 30287->30304 30289 ffcbc0 CompareStringW 30288->30289 30288->30304 30291 ffcbe3 CompareStringW 30289->30291 30289->30304 30292 ffcc0e CompareStringW 30291->30292 30291->30304 30293 ffcc34 CompareStringW 30292->30293 30292->30304 30294 ffcc51 CompareStringW 30293->30294 30293->30304 30295 ffcc80 CompareStringW 30294->30295 30294->30304 30296 ffcc9d CompareStringW 30295->30296 30295->30304 30297 ffccea CompareStringW 30296->30297 30296->30304 30298 ffcd37 CompareStringW 30297->30298 30297->30304 30300 ffcd73 CompareStringW 30298->30300 30298->30304 30299 ffd239 _MREFOpen@16 30299->29992 30301 ffcdc1 CompareStringW 30300->30301 30300->30304 30302 ffce18 CompareStringW 30301->30302 30301->30304 30303 ffce6a CompareStringW 30302->30303 30302->30304 30303->30304 30305 ffcec2 CompareStringW 30303->30305 30304->30256 30304->30259 30304->30299 30307 ffcaf1 30304->30307 30309 ffc104 449 API calls 30304->30309 30315 ff1566 449 API calls 30304->30315 30324 1021729 7 API calls _MREFOpen@16 30304->30324 30325 ffd30f _MREFOpen@16 30304->30325 30426 10220c8 30304->30426 30461 1021d60 9 API calls _MREFOpen@16 30304->30461 30305->30304 30306 ffcef4 CompareStringW 30305->30306 30306->30304 30308 ffcf2f CompareStringW 30306->30308 30460 1020126 449 API calls _MREFOpen@16 30307->30460 30308->30304 30310 ffcf50 CompareStringW 30308->30310 30309->30304 30310->30304 30311 ffcf6d CompareStringW 30310->30311 30311->30304 30312 ffcf89 CompareStringW 30311->30312 30312->30304 30313 ffcfa5 CompareStringW 30312->30313 30313->30304 30314 ffcfcc CompareStringW 30313->30314 30316 ffcfec CompareStringW 30314->30316 30317 ffcfe4 30314->30317 30315->30304 30316->30317 30318 ffd00c lstrlenW lstrlenW CompareStringW 30316->30318 30317->30316 30317->30318 30319 ffd07c lstrlenW lstrlenW CompareStringW 30318->30319 30320 ffd035 lstrlenW 30318->30320 30321 ffd0f7 lstrlenW lstrlenW 30319->30321 30322 ffd0a5 lstrlenW 30319->30322 30320->30304 30320->30325 30321->30304 30323 ffd117 lstrlenW lstrlenW CompareStringW 30321->30323 30322->30304 30322->30325 30323->30304 30324->30304 30463 1020126 449 API calls _MREFOpen@16 30325->30463 30328 ffb57c 30327->30328 30330 ffb5ac 30328->30330 30331 ffb5aa 30328->30331 30479 ffade2 30328->30479 30489 1020126 449 API calls _MREFOpen@16 30330->30489 30333 101854a ___crtMessageBoxW 5 API calls 30331->30333 30334 ffb5cc 30333->30334 30334->29993 30335 ffa6fd 30334->30335 30514 ff9dab EnterCriticalSection 30335->30514 30339 1010c2e _memset 30338->30339 30544 ff1fce 30339->30544 30342 1010c60 30347 1010ca0 30342->30347 30566 1020126 449 API calls _MREFOpen@16 30342->30566 30343 102202c 6 API calls 30345 1010c71 30343->30345 30345->30342 30550 1010a7d 30345->30550 30348 ffd873 30347->30348 30567 1020887 GetProcessHeap RtlFreeHeap GetLastError 30347->30567 30348->29993 30350 10106b7 30348->30350 30351 10106c5 30350->30351 30352 ffd890 30350->30352 30614 101678e 457 API calls _MREFOpen@16 30351->30614 30352->29993 30354 10106ed 30352->30354 30355 ffd8b1 30354->30355 30356 10106fb 30354->30356 30355->29993 30358 1013e9d 30355->30358 30615 101680e 457 API calls _MREFOpen@16 30356->30615 30616 102587e VariantInit 30358->30616 30360 1013ecb 30800 1020126 449 API calls _MREFOpen@16 30360->30800 30364 1013f00 30364->30360 30365 1013f18 30364->30365 30366 1013f85 30365->30366 30801 1025a1a VariantInit 30365->30801 30367 10254b6 SysAllocString 30366->30367 30401 1013f43 30366->30401 30370 1013fa6 30367->30370 30369 ffd8cd 30369->29993 30369->30019 30412 ffa73c 449 API calls 30369->30412 30372 1014026 30370->30372 30370->30401 30811 1025aec 30370->30811 30372->30401 30625 100676a 30372->30625 30373 1025a1a 11 API calls 30377 1013f61 30373->30377 30380 1025a1a 11 API calls 30377->30380 30377->30401 30380->30366 30381 1025aec 15 API calls 30383 1013ff8 30381->30383 30383->30372 30387 1025aec 15 API calls 30383->30387 30383->30401 30387->30372 30401->30369 30822 1020126 449 API calls _MREFOpen@16 30401->30822 30403 1010733 30402->30403 30404 101074c 30402->30404 30929 1016101 456 API calls _MREFOpen@16 30403->30929 30406 1010753 CloseHandle 30404->30406 30407 101075d _memset 30404->30407 30406->30407 30407->30000 30408 1010739 30408->30404 30930 1020126 449 API calls _MREFOpen@16 30408->30930 30410 101074a 30410->30404 30411->29997 30412->30019 30413->30022 30414->30024 30415->30027 30416->29997 30417->30002 30418->30006 30420 10218f1 30419->30420 30422 10218f7 _MREFOpen@16 30419->30422 30464 102293a GetProcessHeap HeapSize 30420->30464 30423 10218fe _MREFOpen@16 30422->30423 30424 1020777 _MREFOpen@16 4 API calls 30422->30424 30423->30257 30424->30423 30425->30269 30427 10220e9 30426->30427 30430 10221d9 30426->30430 30429 1020777 _MREFOpen@16 4 API calls 30427->30429 30428 10222df 30438 102211f _MREFOpen@16 30428->30438 30468 1021729 30428->30468 30431 10220f6 30429->30431 30430->30428 30433 1020777 _MREFOpen@16 4 API calls 30430->30433 30430->30438 30432 1022100 ExpandEnvironmentStringsW 30431->30432 30431->30438 30434 1022115 GetLastError 30432->30434 30435 102213f 30432->30435 30442 1022210 30433->30442 30434->30438 30439 1022194 30435->30439 30443 1020777 _MREFOpen@16 4 API calls 30435->30443 30437 1022313 30441 1022321 30437->30441 30477 1020887 GetProcessHeap RtlFreeHeap GetLastError 30437->30477 30438->30437 30476 1020887 GetProcessHeap RtlFreeHeap GetLastError 30438->30476 30439->30430 30439->30438 30465 1021f87 68 API calls _memmove_s 30439->30465 30441->30304 30442->30438 30445 102221a GetFullPathNameW 30442->30445 30446 1022151 30443->30446 30448 1022231 GetLastError 30445->30448 30449 1022258 30445->30449 30446->30438 30450 102215b ExpandEnvironmentStringsW 30446->30450 30448->30438 30454 1020777 _MREFOpen@16 4 API calls 30449->30454 30458 10222b4 30449->30458 30450->30439 30452 102216a GetLastError 30450->30452 30451 10221b9 30451->30438 30466 102082d GetProcessHeap HeapSize _MREFOpen@16 30451->30466 30452->30438 30456 1022272 30454->30456 30456->30438 30457 102227c GetFullPathNameW 30456->30457 30457->30458 30459 102228d GetLastError 30457->30459 30458->30428 30458->30438 30467 1021f87 68 API calls _memmove_s 30458->30467 30459->30438 30460->30259 30461->30304 30462->30272 30463->30259 30464->30422 30465->30451 30466->30430 30467->30428 30469 1021739 30468->30469 30470 102173f 30468->30470 30478 102293a GetProcessHeap HeapSize 30469->30478 30472 1021762 _MREFOpen@16 30470->30472 30473 1021757 lstrlenW 30470->30473 30474 1021746 _MREFOpen@16 30470->30474 30472->30474 30475 1020777 _MREFOpen@16 4 API calls 30472->30475 30473->30472 30474->30438 30475->30474 30476->30437 30477->30441 30478->30470 30490 ff8e6b 30479->30490 30482 ffadfe 30508 1020126 449 API calls _MREFOpen@16 30482->30508 30484 ffae0d 30485 ffae09 30484->30485 30497 ff9c16 30484->30497 30485->30328 30489->30331 30491 ff8ec9 30490->30491 30492 ff8e81 CompareStringW 30490->30492 30491->30482 30491->30484 30493 ff8ead 30492->30493 30493->30491 30493->30492 30494 ff8eda GetLastError 30493->30494 30495 ff8ee4 _MREFOpen@16 30494->30495 30510 1020126 449 API calls _MREFOpen@16 30495->30510 30500 ff9c34 _MREFOpen@16 30497->30500 30502 ff9ca8 _memset _memmove 30497->30502 30498 1021729 _MREFOpen@16 7 API calls 30499 ff9c44 _MREFOpen@16 30498->30499 30503 ff9d69 30499->30503 30512 1020126 449 API calls _MREFOpen@16 30499->30512 30500->30499 30501 ff9d75 30500->30501 30506 ff9c68 30500->30506 30513 10228f3 GetProcessHeap RtlAllocateHeap 30501->30513 30502->30498 30502->30499 30503->30485 30509 1020126 449 API calls _MREFOpen@16 30503->30509 30506->30499 30511 1022915 GetProcessHeap HeapReAlloc 30506->30511 30508->30485 30509->30485 30510->30491 30511->30502 30512->30503 30513->30502 30515 ff8e6b _MREFOpen@16 447 API calls 30514->30515 30516 ff9dcd 30515->30516 30517 ff9de9 30516->30517 30518 ff9dd3 30516->30518 30520 ff9c16 447 API calls 30517->30520 30522 ff9dff 30517->30522 30541 1020126 449 API calls _MREFOpen@16 30518->30541 30520->30522 30526 ff9e7c 30522->30526 30527 ff9e90 30522->30527 30528 ff9e05 _MREFOpen@16 30522->30528 30539 ff9e8b 30522->30539 30524 ff9f5a 30524->30003 30524->30004 30525 ff9f44 30525->30524 30533 101fd42 _MREFOpen@16 447 API calls 30525->30533 30529 101fd42 _MREFOpen@16 447 API calls 30526->30529 30530 ff9ef7 30527->30530 30531 ff9e96 30527->30531 30536 ff9de1 LeaveCriticalSection 30528->30536 30543 1020126 449 API calls _MREFOpen@16 30528->30543 30529->30539 30534 101fd42 _MREFOpen@16 447 API calls 30530->30534 30535 ff9e99 30531->30535 30537 ff9ed1 30531->30537 30533->30524 30534->30539 30538 101fd42 _MREFOpen@16 447 API calls 30535->30538 30535->30539 30536->30524 30536->30525 30540 101fd42 _MREFOpen@16 447 API calls 30537->30540 30538->30539 30542 10116eb 449 API calls _MREFOpen@16 30539->30542 30540->30539 30541->30536 30542->30528 30543->30536 30545 ff1fe4 _MREFOpen@16 30544->30545 30547 ff2012 _MREFOpen@16 30544->30547 30568 1020126 449 API calls _MREFOpen@16 30545->30568 30548 ff200a 30547->30548 30569 1020126 449 API calls _MREFOpen@16 30547->30569 30548->30342 30548->30343 30551 1010abc CreateFileW 30550->30551 30552 1010b1e GetCurrentProcess GetCurrentProcess DuplicateHandle 30550->30552 30554 1010ae0 GetLastError 30551->30554 30555 1010b88 SetFilePointerEx 30551->30555 30553 1010b3c GetLastError 30552->30553 30552->30555 30560 1010b46 _MREFOpen@16 30553->30560 30556 1010aea _MREFOpen@16 30554->30556 30558 1010be8 30555->30558 30559 1010bad GetLastError 30555->30559 30556->30560 30561 1010b80 30558->30561 30570 1016acf 30558->30570 30564 1010bb7 _MREFOpen@16 30559->30564 30584 1020126 449 API calls _MREFOpen@16 30560->30584 30561->30342 30564->30561 30585 1020126 449 API calls _MREFOpen@16 30564->30585 30566->30347 30567->30348 30568->30548 30569->30548 30571 1021729 _MREFOpen@16 7 API calls 30570->30571 30572 1016aeb 30571->30572 30573 1016afb CreateEventW 30572->30573 30583 1016af1 _MREFOpen@16 30572->30583 30574 1016b48 CreateEventW 30573->30574 30575 1016b0f GetLastError 30573->30575 30576 1016b56 GetLastError 30574->30576 30577 1016b8c CreateThread 30574->30577 30575->30583 30576->30583 30580 1016ba3 GetLastError 30577->30580 30581 1016bd9 30577->30581 30588 1016889 CoInitializeEx 30577->30588 30579 1016bef 30579->30564 30580->30583 30586 101620b 455 API calls _MREFOpen@16 30581->30586 30583->30579 30587 1020126 449 API calls _MREFOpen@16 30583->30587 30584->30561 30585->30561 30586->30583 30587->30579 30589 10168ba 30588->30589 30590 10168cc #20 30588->30590 30611 1020126 449 API calls _MREFOpen@16 30589->30611 30592 101693f #22 30590->30592 30593 1016919 _MREFOpen@16 30590->30593 30608 1016968 30592->30608 30612 1020126 449 API calls _MREFOpen@16 30593->30612 30594 10169b2 SetEvent 30597 10169c2 GetLastError 30594->30597 30598 10169f5 WaitForSingleObject 30594->30598 30595 1016aad #23 30600 1016ab5 CoUninitialize 30595->30600 30596 10168c5 30601 101854a ___crtMessageBoxW 5 API calls 30596->30601 30606 10169a8 _MREFOpen@16 30597->30606 30604 1016a38 ResetEvent 30598->30604 30605 1016a08 GetLastError 30598->30605 30600->30596 30603 1016acb 30601->30603 30602 1016939 30602->30600 30604->30606 30607 1016a45 GetLastError 30604->30607 30605->30606 30609 1016aa0 30606->30609 30613 1020126 449 API calls _MREFOpen@16 30606->30613 30607->30606 30608->30594 30608->30595 30608->30606 30609->30595 30611->30596 30612->30602 30613->30609 30614->30352 30615->30355 30823 10256d9 GetModuleHandleA 30616->30823 30618 101854a ___crtMessageBoxW 5 API calls 30619 1013ec5 30618->30619 30619->30360 30621 10254b6 30619->30621 30620 10258c1 30620->30618 30622 10254da 30621->30622 30624 10254c1 _MREFOpen@16 30621->30624 30623 10254f9 SysAllocString 30622->30623 30622->30624 30623->30624 30624->30364 30626 10254b6 SysAllocString 30625->30626 30629 1006789 30626->30629 30628 1006790 30628->30401 30632 ffa0cb EnterCriticalSection 30628->30632 30629->30628 30630 1021729 _MREFOpen@16 7 API calls 30629->30630 30631 1006798 30629->30631 30630->30631 30631->30628 30835 1020126 449 API calls _MREFOpen@16 30631->30835 30836 10255ad 30632->30836 30800->30369 30802 1025a43 30801->30802 30803 1025a49 SysAllocString 30802->30803 30805 1025a58 _MREFOpen@16 30802->30805 30804 1025a6f 30803->30804 30803->30805 30927 1025551 SysAllocString _MREFOpen@16 30804->30927 30806 1025acf VariantClear 30805->30806 30808 1013f39 30806->30808 30808->30373 30808->30401 30809 1025a7c 30809->30805 30810 1021729 _MREFOpen@16 7 API calls 30809->30810 30810->30805 30812 1025a1a 11 API calls 30811->30812 30813 1025b04 30812->30813 30814 1025b35 30813->30814 30815 1025b12 CompareStringW 30813->30815 30816 1013fd0 30814->30816 30928 1020887 GetProcessHeap RtlFreeHeap GetLastError 30814->30928 30815->30814 30816->30381 30816->30401 30822->30369 30824 1025703 GetLastError 30823->30824 30825 102575a GetProcAddress 30823->30825 30829 102570d _MREFOpen@16 30824->30829 30826 10257af CoCreateInstance 30825->30826 30827 102576d GetProcAddress GetProcAddress GetProcAddress 30825->30827 30828 1025824 30826->30828 30830 10257d3 30826->30830 30832 1025791 30827->30832 30828->30829 30831 1025875 ExitProcess 30828->30831 30829->30620 30830->30828 30834 102545a SysAllocString _MREFOpen@16 30830->30834 30832->30826 30834->30828 30835->30628 30837 10255d1 30836->30837 30839 10255b8 _MREFOpen@16 30836->30839 30838 10255f0 SysAllocString 30837->30838 30837->30839 30838->30839 30927->30809 30928->30816 30929->30408 30930->30410 30932 ff2923 StringFromGUID2 30931->30932 30948 ff2937 _MREFOpen@16 30931->30948 30933 ff2944 30932->30933 30932->30948 30934 1021d32 _MREFOpen@16 108 API calls 30933->30934 30936 ff2956 30934->30936 30938 ff2966 UuidCreate 30936->30938 30936->30948 30937 ff29db 30939 ff2a00 30937->30939 31041 1020887 GetProcessHeap RtlFreeHeap GetLastError 30937->31041 30940 ff298a StringFromGUID2 30938->30940 30938->30948 30942 ff2a0e 30939->30942 31042 1020887 GetProcessHeap RtlFreeHeap GetLastError 30939->31042 30943 ff29ba 30940->30943 30940->30948 30945 101854a ___crtMessageBoxW 5 API calls 30942->30945 30946 1021729 _MREFOpen@16 7 API calls 30943->30946 30947 ff15a7 30945->30947 30946->30948 30947->30044 30949 ff2a21 GetCurrentProcessId 30947->30949 30948->30937 31040 1020126 449 API calls _MREFOpen@16 30948->31040 30950 102202c 6 API calls 30949->30950 30951 ff2a47 30950->30951 30952 ff2a4d 30951->30952 30953 1021d32 _MREFOpen@16 108 API calls 30951->30953 31056 1020126 449 API calls _MREFOpen@16 30952->31056 30954 ff2a71 30953->30954 30954->30952 30956 ff2a89 30954->30956 31043 10205e9 30956->31043 30957 ff2a85 30959 ff2ab7 CloseHandle 30957->30959 30960 ff2ac3 30957->30960 30959->30960 30962 ff2ad0 30960->30962 31058 1020887 GetProcessHeap RtlFreeHeap GetLastError 30960->31058 30965 ff2add 30962->30965 31059 1020887 GetProcessHeap RtlFreeHeap GetLastError 30962->31059 30965->30030 30968 1021d32 _MREFOpen@16 108 API calls 30967->30968 30969 ff38db 30968->30969 30970 ff38f6 30969->30970 30971 ff38e4 30969->30971 30973 ff390f CreateFileW 30970->30973 30974 ff395b 30970->30974 30978 ff394c Sleep 30970->30978 31081 1020126 449 API calls _MREFOpen@16 30971->31081 30973->30970 30975 ff3929 GetLastError 30973->30975 30990 ff395f _MREFOpen@16 30974->30990 31061 ff315e GetCurrentProcessId ReadFile 30974->31061 30975->30970 30977 ff15ee 30977->30035 30977->30044 30978->30970 30981 ff3a2e OpenProcess 30982 ff3a45 GetLastError 30981->30982 30986 ff38ef 30981->30986 30982->30990 30983 1021d32 _MREFOpen@16 108 API calls 30985 ff39b8 30983->30985 30987 ff39d5 CreateFileW 30985->30987 30988 ff39c3 30985->30988 30986->30977 31084 1020887 GetProcessHeap RtlFreeHeap GetLastError 30986->31084 30991 ff39ed GetLastError 30987->30991 30992 ff3a17 30987->30992 31082 1020126 449 API calls _MREFOpen@16 30988->31082 31083 1020126 449 API calls _MREFOpen@16 30990->31083 30991->30990 30993 ff315e 459 API calls 30992->30993 30994 ff3a24 30993->30994 30994->30981 30994->30990 30996 1001563 GetLastError 30995->30996 30997 100159b CreateThread 30995->30997 31005 100156d _MREFOpen@16 30996->31005 30998 10015c4 GetLastError 30997->30998 30999 1001606 WaitForMultipleObjects 30997->30999 31088 1001380 30997->31088 30998->31005 31000 1001602 30999->31000 31001 1001634 31000->31001 31002 100162c CloseHandle 31000->31002 31003 1001639 CloseHandle 31001->31003 31004 ff169b 31001->31004 31002->31001 31003->31004 31004->30044 31007 102360e 31004->31007 31087 1020126 449 API calls _MREFOpen@16 31005->31087 31008 102303c 8 API calls 31007->31008 31009 1023621 31008->31009 31010 102362e GetProcAddress 31009->31010 31016 1023627 _MREFOpen@16 31009->31016 31011 1023676 31010->31011 31012 1023648 GetLastError 31010->31012 31011->31016 31104 1023123 31011->31104 31012->31016 31013 1023695 31013->30048 31016->31013 31131 1023104 FreeLibrary 31016->31131 31018 10011d1 GetLastError 31017->31018 31019 100120f 31017->31019 31142 1000e43 TlsSetValue 31017->31142 31026 10011db _MREFOpen@16 31018->31026 31020 ff33b9 449 API calls 31019->31020 31021 1001224 31020->31021 31022 1001239 31021->31022 31023 100122a 31021->31023 31132 ffe8ac WaitForSingleObject 31022->31132 31140 1020126 449 API calls _MREFOpen@16 31023->31140 31139 1020126 449 API calls _MREFOpen@16 31026->31139 31027 1001235 CloseHandle 31030 100120b 31027->31030 31030->30044 31032 1001277 PostMessageW WaitForSingleObject 31031->31032 31033 ff1739 31031->31033 31032->31033 31033->30050 31034 ffe88f 31033->31034 31156 10272ef 31034->31156 31037 ffe8a6 31037->30050 31039->30045 31040->30937 31041->30939 31042->30942 31044 1020605 _memset 31043->31044 31045 1021d32 _MREFOpen@16 108 API calls 31044->31045 31046 102062f 31045->31046 31047 1020638 CreateProcessW 31046->31047 31055 102066b _MREFOpen@16 31046->31055 31048 1020661 GetLastError 31047->31048 31047->31055 31048->31055 31049 10206b0 31051 10206b5 CloseHandle 31049->31051 31052 10206bd 31049->31052 31050 10206a8 CloseHandle 31050->31049 31051->31052 31053 ff2a9b 31052->31053 31060 1020887 GetProcessHeap RtlFreeHeap GetLastError 31052->31060 31053->30957 31057 1020126 449 API calls _MREFOpen@16 31053->31057 31055->31049 31055->31050 31056->30957 31057->30957 31058->30962 31059->30965 31060->31053 31062 ff319b GetLastError 31061->31062 31063 ff31d4 31061->31063 31070 ff31a5 _MREFOpen@16 31062->31070 31064 1020777 _MREFOpen@16 4 API calls 31063->31064 31063->31070 31065 ff320d 31064->31065 31066 ff321d ReadFile 31065->31066 31065->31070 31067 ff326a CompareStringW 31066->31067 31068 ff3231 GetLastError 31066->31068 31067->31070 31071 ff32a2 ReadFile 31067->31071 31068->31070 31085 1020126 449 API calls _MREFOpen@16 31070->31085 31072 ff32ec 31071->31072 31073 ff32b6 GetLastError 31071->31073 31076 ff32fa WriteFile 31072->31076 31077 ff3369 _MREFOpen@16 31072->31077 31080 ff32c0 _MREFOpen@16 31073->31080 31074 ff334c 31075 ff335b 31074->31075 31086 1020887 GetProcessHeap RtlFreeHeap GetLastError 31074->31086 31075->30981 31075->30983 31075->30990 31076->31074 31079 ff3312 GetLastError 31076->31079 31079->31080 31080->31070 31081->30986 31082->30986 31083->30986 31084->30977 31085->31074 31086->31075 31087->31000 31089 10013e0 RegisterClassW 31088->31089 31090 10013be TlsSetValue 31088->31090 31091 1001403 GetLastError 31089->31091 31092 1001444 CreateWindowExW 31089->31092 31090->31089 31097 10013d4 UnregisterClassW 31090->31097 31100 100140d _MREFOpen@16 31091->31100 31093 10014b8 SetEvent 31092->31093 31094 100147d GetLastError 31092->31094 31096 10014f8 KiUserCallbackDispatcher 31093->31096 31094->31100 31096->31097 31098 10014ce 31096->31098 31099 10014d3 IsDialogMessageW 31098->31099 31098->31100 31099->31096 31101 10014e4 TranslateMessage DispatchMessageW 31099->31101 31103 1020126 449 API calls _MREFOpen@16 31100->31103 31101->31096 31103->31097 31105 1023168 _memset 31104->31105 31106 10231f3 InitializeSecurityDescriptor 31105->31106 31107 1023236 CreateWellKnownSid 31106->31107 31108 102320f GetLastError 31106->31108 31109 1023286 CreateWellKnownSid 31107->31109 31110 102325c GetLastError 31107->31110 31119 1023219 _MREFOpen@16 31108->31119 31111 10232a3 GetLastError 31109->31111 31112 10232cd CreateWellKnownSid 31109->31112 31110->31119 31111->31119 31113 1023314 CreateWellKnownSid 31112->31113 31114 10232ea GetLastError 31112->31114 31115 1023331 GetLastError 31113->31115 31116 102335b CreateWellKnownSid 31113->31116 31114->31119 31115->31119 31117 10233a2 SetEntriesInAclA 31116->31117 31118 1023378 GetLastError 31116->31118 31117->31119 31120 1023496 SetSecurityDescriptorOwner 31117->31120 31118->31119 31121 1023592 31119->31121 31122 1023586 LocalFree 31119->31122 31123 10234d6 SetSecurityDescriptorGroup 31120->31123 31124 10234af GetLastError 31120->31124 31127 101854a ___crtMessageBoxW 5 API calls 31121->31127 31122->31121 31125 1023516 SetSecurityDescriptorDacl 31123->31125 31126 10234ef GetLastError 31123->31126 31124->31119 31129 1023530 GetLastError 31125->31129 31130 1023561 CoInitializeSecurity 31125->31130 31126->31119 31128 10235a1 31127->31128 31128->31016 31129->31119 31130->31119 31131->31013 31133 ffe8fe GetExitCodeThread 31132->31133 31134 ffe8c8 GetLastError 31132->31134 31135 ffe90f GetLastError 31133->31135 31136 ffe949 31133->31136 31137 ffe8d2 _MREFOpen@16 31134->31137 31135->31137 31136->31027 31141 1020126 449 API calls _MREFOpen@16 31137->31141 31139->31030 31140->31027 31141->31136 31143 1000ea1 CoInitializeEx 31142->31143 31144 1000e63 GetLastError 31142->31144 31145 1000e6d _MREFOpen@16 31143->31145 31146 1000eb8 31143->31146 31144->31145 31154 1020126 449 API calls _MREFOpen@16 31145->31154 31147 ff33b9 449 API calls 31146->31147 31148 1000eca 31147->31148 31150 1000edb CoUninitialize 31148->31150 31155 1020126 449 API calls _MREFOpen@16 31148->31155 31151 1000e9d 31150->31151 31154->31151 31155->31150 31160 102726d CLSIDFromProgID 31156->31160 31159 1020126 449 API calls _MREFOpen@16 31159->31037 31161 102729b CoCreateInstance 31160->31161 31162 10272af 31160->31162 31161->31162 31163 101854a ___crtMessageBoxW 5 API calls 31162->31163 31164 ffe895 31163->31164 31164->31037 31164->31159 31165->30069 31166->30071 31167->30061 31168->30078 31169->30080 31170->30082 31172 ff2899 31171->31172 31173 ff2893 CloseHandle 31171->31173 31174 ff28a6 31172->31174 31175 ff28a0 CloseHandle 31172->31175 31173->31172 31176 ff28ad CloseHandle 31174->31176 31177 ff28b4 31174->31177 31175->31174 31176->31177 31178 ff28c1 31177->31178 31332 1020887 GetProcessHeap RtlFreeHeap GetLastError 31177->31332 31180 ff10f8 31178->31180 31333 1020887 GetProcessHeap RtlFreeHeap GetLastError 31178->31333 31180->30090 31183 ffb73b 31182->31183 31184 ffb741 31182->31184 31334 1020887 GetProcessHeap RtlFreeHeap GetLastError 31183->31334 31186 ff4c5e 6 API calls 31184->31186 31187 ffb74a _memset 31186->31187 31187->30097 31335 ff3e1c 31188->31335 31191 ffb718 _memset 31191->30099 31194 ff1160 31193->31194 31196 ff8bdd 31193->31196 31200 ff7378 31194->31200 31195 1022aae _MREFOpen@16 3 API calls 31195->31194 31197 ff8c0d 31196->31197 31199 10114cc 3 API calls 31196->31199 31378 1020887 GetProcessHeap RtlFreeHeap GetLastError 31196->31378 31197->31195 31199->31196 31201 ff116c 31200->31201 31204 ff738a 31200->31204 31206 ff5376 31201->31206 31202 ff7415 31203 1022aae _MREFOpen@16 3 API calls 31202->31203 31203->31201 31204->31202 31205 1020887 GetProcessHeap RtlFreeHeap GetLastError _MREFOpen@16 31204->31205 31205->31204 31207 ff538d 31206->31207 31208 ff5387 31206->31208 31209 ff539a 31207->31209 31380 1020887 GetProcessHeap RtlFreeHeap GetLastError 31207->31380 31379 1020887 GetProcessHeap RtlFreeHeap GetLastError 31208->31379 31212 ff53b9 31209->31212 31381 1020887 GetProcessHeap RtlFreeHeap GetLastError 31209->31381 31213 ff53c6 31212->31213 31215 1022aae _MREFOpen@16 3 API calls 31212->31215 31216 ff53e4 31213->31216 31382 1020887 GetProcessHeap RtlFreeHeap GetLastError 31213->31382 31215->31213 31217 ff53f1 31216->31217 31218 1022aae _MREFOpen@16 3 API calls 31216->31218 31219 ff540f 31217->31219 31383 1020887 GetProcessHeap RtlFreeHeap GetLastError 31217->31383 31218->31217 31221 ff541c 31219->31221 31223 1022aae _MREFOpen@16 3 API calls 31219->31223 31224 ff543a 31221->31224 31384 1020887 GetProcessHeap RtlFreeHeap GetLastError 31221->31384 31223->31221 31225 ff5447 31224->31225 31226 1022aae _MREFOpen@16 3 API calls 31224->31226 31227 ff5454 31225->31227 31385 1020887 GetProcessHeap RtlFreeHeap GetLastError 31225->31385 31226->31225 31230 ff5461 31227->31230 31386 1020887 GetProcessHeap RtlFreeHeap GetLastError 31227->31386 31232 ff546e 31230->31232 31387 1020887 GetProcessHeap RtlFreeHeap GetLastError 31230->31387 31234 ff547b 31232->31234 31388 1020887 GetProcessHeap RtlFreeHeap GetLastError 31232->31388 31236 ff5488 31234->31236 31389 1020887 GetProcessHeap RtlFreeHeap GetLastError 31234->31389 31238 ff5495 31236->31238 31390 1020887 GetProcessHeap RtlFreeHeap GetLastError 31236->31390 31240 ff54a2 31238->31240 31391 1020887 GetProcessHeap RtlFreeHeap GetLastError 31238->31391 31242 ff54af 31240->31242 31392 1020887 GetProcessHeap RtlFreeHeap GetLastError 31240->31392 31244 ff54bc 31242->31244 31393 1020887 GetProcessHeap RtlFreeHeap GetLastError 31242->31393 31246 ff54c9 31244->31246 31394 1020887 GetProcessHeap RtlFreeHeap GetLastError 31244->31394 31247 ff54d6 31246->31247 31395 1020887 GetProcessHeap RtlFreeHeap GetLastError 31246->31395 31250 ff54e3 31247->31250 31396 1020887 GetProcessHeap RtlFreeHeap GetLastError 31247->31396 31252 ff54f0 31250->31252 31397 1020887 GetProcessHeap RtlFreeHeap GetLastError 31250->31397 31254 ff54fd 31252->31254 31398 1020887 GetProcessHeap RtlFreeHeap GetLastError 31252->31398 31256 ff550a 31254->31256 31399 1020887 GetProcessHeap RtlFreeHeap GetLastError 31254->31399 31257 ff551a 31256->31257 31400 1020887 GetProcessHeap RtlFreeHeap GetLastError 31256->31400 31260 ff552a 31257->31260 31401 1020887 GetProcessHeap RtlFreeHeap GetLastError 31257->31401 31262 ff553a 31260->31262 31402 1020887 GetProcessHeap RtlFreeHeap GetLastError 31260->31402 31264 ff554a 31262->31264 31403 1020887 GetProcessHeap RtlFreeHeap GetLastError 31262->31403 31266 ff555a 31264->31266 31404 1020887 GetProcessHeap RtlFreeHeap GetLastError 31264->31404 31268 ff556a 31266->31268 31405 1020887 GetProcessHeap RtlFreeHeap GetLastError 31266->31405 31281 ff557a 31268->31281 31406 1020887 GetProcessHeap RtlFreeHeap GetLastError 31268->31406 31271 ff55de 31272 ff55f1 31271->31272 31407 1020887 GetProcessHeap RtlFreeHeap GetLastError 31271->31407 31276 ff5601 31272->31276 31408 1020887 GetProcessHeap RtlFreeHeap GetLastError 31272->31408 31273 ff55d3 31274 1022aae _MREFOpen@16 3 API calls 31273->31274 31274->31271 31280 1020887 GetProcessHeap RtlFreeHeap GetLastError _MREFOpen@16 31280->31281 31281->31271 31281->31273 31281->31280 31324->30085 31325->30092 31332->31178 31333->31180 31334->31184 31336 ff3e2c 31335->31336 31337 ff3e32 31335->31337 31367 1020887 GetProcessHeap RtlFreeHeap GetLastError 31336->31367 31339 ff3e3f 31337->31339 31368 1020887 GetProcessHeap RtlFreeHeap GetLastError 31337->31368 31341 ff3e4c 31339->31341 31369 1020887 GetProcessHeap RtlFreeHeap GetLastError 31339->31369 31343 ff3e59 31341->31343 31370 1020887 GetProcessHeap RtlFreeHeap GetLastError 31341->31370 31345 ff3e66 31343->31345 31371 1020887 GetProcessHeap RtlFreeHeap GetLastError 31343->31371 31359 ff3e73 31345->31359 31372 1020887 GetProcessHeap RtlFreeHeap GetLastError 31345->31372 31348 ff3eab 31349 ff3eb9 31348->31349 31351 1022aae _MREFOpen@16 3 API calls 31348->31351 31352 ff3ee3 31349->31352 31353 ff3ec2 31349->31353 31350 ff3ea0 31355 1022aae _MREFOpen@16 3 API calls 31350->31355 31351->31349 31377 1009fd3 6 API calls 2 library calls 31352->31377 31357 ff3edb 31353->31357 31358 ff3ec5 31353->31358 31355->31348 31376 100afa0 6 API calls 2 library calls 31357->31376 31361 ff3ec8 31358->31361 31362 ff3ed3 31358->31362 31359->31348 31359->31350 31373 100f4c1 GetProcessHeap RtlFreeHeap GetLastError _MREFOpen@16 31359->31373 31360 ff3ed1 31360->31191 31366 1020887 GetProcessHeap RtlFreeHeap GetLastError 31360->31366 31361->31360 31374 100eaff GetProcessHeap RtlFreeHeap GetLastError _MREFOpen@16 31361->31374 31375 100d9a9 6 API calls _MREFOpen@16 31362->31375 31366->31191 31367->31337 31368->31339 31369->31341 31370->31343 31371->31345 31372->31359 31373->31359 31374->31360 31375->31360 31376->31360 31377->31360 31378->31196 31379->31207 31380->31209 31381->31209 31382->31213 31383->31217 31384->31221 31385->31227 31386->31230 31387->31232 31388->31234 31389->31236 31390->31238 31391->31240 31392->31242 31393->31244 31394->31246 31395->31247 31396->31250 31397->31252 31398->31254 31399->31256 31400->31257 31401->31260 31402->31262 31403->31264 31404->31266 31405->31268 31406->31281 31407->31272 31408->31276 29583 1016374 CompareStringA 29584 10163b1 GetCurrentProcess GetCurrentProcess DuplicateHandle 29583->29584 29585 101642c CreateFileA 29583->29585 29587 10163d0 GetLastError 29584->29587 29588 1016406 29584->29588 29586 101644d GetLastError 29585->29586 29595 1016428 29585->29595 29590 1016457 _MREFOpen@16 29586->29590 29591 10163da _MREFOpen@16 29587->29591 29596 1016084 449 API calls _MREFOpen@16 29588->29596 29598 1020126 449 API calls _MREFOpen@16 29590->29598 29591->29595 29597 1020126 449 API calls _MREFOpen@16 29591->29597 29594 101648a 29594->29595 29596->29591 29597->29595 29598->29594 29699 101657b 29706 10164a1 29699->29706 29702 10165c1 GetLastError 29704 10165cb _MREFOpen@16 29702->29704 29703 10165fb 29713 1020126 449 API calls _MREFOpen@16 29704->29713 29707 10164b3 29706->29707 29708 10164b9 SetFilePointerEx 29707->29708 29712 101650a ReadFile 29707->29712 29709 10164d0 GetLastError 29708->29709 29708->29712 29710 10164da _MREFOpen@16 29709->29710 29714 1020126 449 API calls _MREFOpen@16 29710->29714 29712->29702 29712->29703 29713->29703 29714->29712

                                            Executed Functions

                                            Function 01023123 Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 351COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1036 1023123-102320d call 10184d0 * 6 InitializeSecurityDescriptor 1049 1023236-102325a CreateWellKnownSid 1036->1049 1050 102320f-1023217 GetLastError 1036->1050 1053 1023286-10232a1 CreateWellKnownSid 1049->1053 1054 102325c-1023264 GetLastError 1049->1054 1051 1023223-1023227 1050->1051 1052 1023219-102321e 1050->1052 1057 1023229 1051->1057 1058 102322e-1023231 1051->1058 1052->1051 1055 10232a3-10232ab GetLastError 1053->1055 1056 10232cd-10232e8 CreateWellKnownSid 1053->1056 1059 1023270-1023274 1054->1059 1060 1023266-102326b 1054->1060 1061 10232b7-10232bb 1055->1061 1062 10232ad-10232b2 1055->1062 1063 1023314-102332f CreateWellKnownSid 1056->1063 1064 10232ea-10232f2 GetLastError 1056->1064 1057->1058 1065 1023555-102355f call 1022f06 1058->1065 1066 1023276 1059->1066 1067 102327b-1023281 1059->1067 1060->1059 1069 10232c2-10232c8 1061->1069 1070 10232bd 1061->1070 1062->1061 1073 1023331-1023339 GetLastError 1063->1073 1074 102335b-1023376 CreateWellKnownSid 1063->1074 1071 10232f4-10232f9 1064->1071 1072 10232fe-1023302 1064->1072 1084 102357e-1023584 1065->1084 1066->1067 1067->1065 1069->1065 1070->1069 1071->1072 1078 1023304 1072->1078 1079 1023309-102330f 1072->1079 1080 1023345-1023349 1073->1080 1081 102333b-1023340 1073->1081 1076 10233a2-1023472 SetEntriesInAclA 1074->1076 1077 1023378-1023380 GetLastError 1074->1077 1087 1023496-10234ad SetSecurityDescriptorOwner 1076->1087 1088 1023474 1076->1088 1085 1023382-1023387 1077->1085 1086 102338c-1023390 1077->1086 1078->1079 1079->1065 1082 1023350-1023356 1080->1082 1083 102334b 1080->1083 1081->1080 1082->1065 1083->1082 1089 1023592-10235a2 call 101854a 1084->1089 1090 1023586-102358c LocalFree 1084->1090 1085->1086 1091 1023392 1086->1091 1092 1023397-102339d 1086->1092 1095 10234d6-10234ed SetSecurityDescriptorGroup 1087->1095 1096 10234af-10234b7 GetLastError 1087->1096 1093 1023480-1023484 1088->1093 1094 1023476-102347b 1088->1094 1090->1089 1091->1092 1092->1065 1102 1023486 1093->1102 1103 102348b-1023491 1093->1103 1094->1093 1099 1023516-102352e SetSecurityDescriptorDacl 1095->1099 1100 10234ef-10234f7 GetLastError 1095->1100 1097 10234c3-10234c7 1096->1097 1098 10234b9-10234be 1096->1098 1104 10234c9 1097->1104 1105 10234ce-10234d4 1097->1105 1098->1097 1109 1023530-1023538 GetLastError 1099->1109 1110 1023561-102357c CoInitializeSecurity 1099->1110 1106 1023503-1023507 1100->1106 1107 10234f9-10234fe 1100->1107 1102->1103 1103->1065 1104->1105 1105->1065 1111 1023509 1106->1111 1112 102350e-1023514 1106->1112 1107->1106 1113 1023544-1023548 1109->1113 1114 102353a-102353f 1109->1114 1110->1084 1111->1112 1112->1065 1115 102354a 1113->1115 1116 102354f-1023550 1113->1116 1114->1113 1115->1116 1116->1065
                                            APIs
                                            • _memset.LIBCMT ref: 01023163
                                            • _memset.LIBCMT ref: 01023186
                                            • _memset.LIBCMT ref: 010231A0
                                            • _memset.LIBCMT ref: 010231BA
                                            • _memset.LIBCMT ref: 010231D4
                                            • _memset.LIBCMT ref: 010231EE
                                            • InitializeSecurityDescriptor.ADVAPI32(?,00000001), ref: 01023205
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0102320F
                                            • CreateWellKnownSid.ADVAPI32(0000001A,00000000,?,?), ref: 01023256
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0102325C
                                            • CreateWellKnownSid.ADVAPI32(00000017,00000000,?,?), ref: 0102329D
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 010232A3
                                            • CreateWellKnownSid.ADVAPI32(00000018,00000000,?,?), ref: 010232E4
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 010232EA
                                            • CreateWellKnownSid.ADVAPI32(00000010,00000000,?,?), ref: 0102332B
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01023331
                                            • CreateWellKnownSid.ADVAPI32(00000016,00000000,?,?), ref: 01023372
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01023378
                                            • SetEntriesInAclA.ADVAPI32(00000005,?,00000000,?), ref: 0102346A
                                            • SetSecurityDescriptorOwner.ADVAPI32(?,?,00000000), ref: 010234A5
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 010234AF
                                            • SetSecurityDescriptorGroup.ADVAPI32(?,?,00000000), ref: 010234E5
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 010234EF
                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 01023526
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01023530
                                            • CoInitializeSecurity.COMBASE(?,000000FF,00000000,00000000,00000006,00000002,00000000,00003000,00000000), ref: 01023576
                                            • LocalFree.KERNEL32(?), ref: 0102358C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$_memset$CreateKnownSecurityWell$Descriptor$Initialize$DaclEntriesFreeGroupLocalOwner
                                            • String ID: srputil.cpp
                                            • API String ID: 3642641498-4105181634
                                            • Opcode ID: fc5798a3ea48f563fa7c479cf23481c87385a3bf3214af6d4a07651c9d16975b
                                            • Instruction ID: 354a64ec89b48950e15282f903e56a8c77b8da6b05432a5cd7c2918622bafd12
                                            • Opcode Fuzzy Hash: fc5798a3ea48f563fa7c479cf23481c87385a3bf3214af6d4a07651c9d16975b
                                            • Instruction Fuzzy Hash: A3D143B1D40239AEDB309F55CC84BEEBBB8BB08310F5445BAE65DEB140D7795A848F90
                                            Function 01026CB2 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 325fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1117 1026cb2-1026d57 call 10184d0 * 2 GetFileAttributesW 1122 1026d8a-1026d91 1117->1122 1123 1026d59-1026d62 GetLastError 1117->1123 1126 1026d97-1026d9e 1122->1126 1127 10270e4 1122->1127 1124 1026d67-1026d69 1123->1124 1125 1026d64-1026d66 1123->1125 1129 1026d6b-1026d6d 1124->1129 1130 1026d6f-1026d73 1124->1130 1125->1124 1131 1026da0-1026db3 SetFileAttributesW 1126->1131 1132 1026dd6-1026dde 1126->1132 1128 10270e9-10270f0 1127->1128 1133 10270f2-10270f8 FindClose 1128->1133 1134 10270fe-1027105 1128->1134 1129->1130 1130->1122 1137 1026d75-1026d76 1130->1137 1131->1132 1138 1026db5-1026dbd GetLastError 1131->1138 1135 1026de0-1026de6 1132->1135 1136 1026dec-1026df2 1132->1136 1133->1134 1142 1027112-1027122 call 101854a 1134->1142 1143 1027107-102710d call 1020887 1134->1143 1135->1136 1141 1026ff9-1027007 RemoveDirectoryW 1135->1141 1144 1026df4-1026e08 GetTempPathW 1136->1144 1145 1026e2e-1026e49 call 10225d7 1136->1145 1146 1026d7b-1026d85 call 1022f06 1137->1146 1139 1026dc3-1026dc7 1138->1139 1140 1026dbf-1026dc1 1138->1140 1147 1026dc9 1139->1147 1148 1026dce-1026dd4 1139->1148 1140->1139 1141->1128 1149 102700d-1027015 GetLastError 1141->1149 1143->1142 1144->1145 1151 1026e0a-1026e12 GetLastError 1144->1151 1145->1134 1162 1026e4f-1026e6b FindFirstFileW 1145->1162 1146->1134 1147->1148 1148->1146 1155 1027017-1027019 1149->1155 1156 102701b-1027023 1149->1156 1157 1026e14-1026e16 1151->1157 1158 1026e18-1026e1c 1151->1158 1155->1156 1163 1027044-1027046 1156->1163 1164 1027025-102702c 1156->1164 1157->1158 1165 1026e23-1026e29 1158->1165 1166 1026e1e 1158->1166 1167 1026e91-1026e9b 1162->1167 1168 1026e6d-1026e75 GetLastError 1162->1168 1163->1128 1170 102704c-102704d 1163->1170 1169 102702e-1027040 MoveFileExW 1164->1169 1164->1170 1165->1146 1166->1165 1173 1026ec7-1026eed call 10225d7 1167->1173 1174 1026e9d-1026ea6 1167->1174 1171 1026e77-1026e79 1168->1171 1172 1026e7b-1026e7f 1168->1172 1169->1170 1175 1027042 1169->1175 1176 1027052-102705c call 1022f06 1170->1176 1171->1172 1177 1026e81 1172->1177 1178 1026e86-1026e87 1172->1178 1173->1128 1189 1026ef3-1026efb 1173->1189 1179 1026fcb-1026fe0 FindNextFileW 1174->1179 1180 1026eac-1026eb6 1174->1180 1175->1163 1176->1128 1177->1178 1178->1167 1179->1167 1183 1026fe6-1026ff1 GetLastError 1179->1183 1180->1173 1184 1026eb8-1026ec1 1180->1184 1187 1026ff7 1183->1187 1188 10270c4-10270c8 GetLastError 1183->1188 1184->1173 1184->1179 1187->1141 1190 10270ca-10270cc 1188->1190 1191 10270ce-10270d2 1188->1191 1192 1026f2f-1026f35 1189->1192 1193 1026efd-1026f04 1189->1193 1190->1191 1195 10270d4 1191->1195 1196 10270d9-10270df 1191->1196 1192->1179 1197 1026f3b-1026f42 1192->1197 1193->1192 1194 1026f06-1026f16 call 10223e1 1193->1194 1194->1128 1206 1026f1c-1026f2a call 1026cb2 1194->1206 1195->1196 1196->1176 1199 1026f44-1026f57 SetFileAttributesW 1197->1199 1200 1026f5d-1026f6b DeleteFileW 1197->1200 1199->1200 1202 1027061-1027069 GetLastError 1199->1202 1200->1179 1203 1026f6d-1026f73 1200->1203 1204 102706b-102706d 1202->1204 1205 102706f-1027073 1202->1205 1207 10270a3-10270ab GetLastError 1203->1207 1208 1026f79-1026f95 GetTempFileNameW 1203->1208 1204->1205 1209 1027075 1205->1209 1210 102707a-1027080 1205->1210 1206->1179 1212 10270b1-10270b5 1207->1212 1213 10270ad-10270af 1207->1213 1214 1027082-102708a GetLastError 1208->1214 1215 1026f9b-1026fb8 MoveFileExW 1208->1215 1209->1210 1210->1176 1219 10270b7 1212->1219 1220 10270bc-10270c2 1212->1220 1213->1212 1217 1027090-1027094 1214->1217 1218 102708c-102708e 1214->1218 1221 1026fc3 1215->1221 1222 1026fba-1026fc1 1215->1222 1223 1027096 1217->1223 1224 102709b-10270a1 1217->1224 1218->1217 1219->1220 1220->1176 1225 1026fc9 MoveFileExW 1221->1225 1222->1225 1223->1224 1224->1176 1225->1179
                                            APIs
                                            • _memset.LIBCMT ref: 01026D27
                                            • _memset.LIBCMT ref: 01026D35
                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,00000000), ref: 01026D3E
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01026D59
                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000000,?,00000000), ref: 01026DAB
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01026DB5
                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000000,?,00000000), ref: 01026E00
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01026E0A
                                            • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000000,?,00000000), ref: 01026E5C
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01026E6D
                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000000,?,00000000), ref: 01026F4F
                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00000000,?,00000000), ref: 01026F63
                                            • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000000,?,00000000), ref: 01026F8D
                                            • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000000,?,00000000), ref: 01026FB0
                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,00000000), ref: 01026FC9
                                            • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000000,?,00000000), ref: 01026FD8
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01026FEC
                                            • RemoveDirectoryW.KERNELBASE(?,?,?,?,00000000,?,00000000), ref: 01026FFF
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 0102700D
                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000000,?,00000000), ref: 01027038
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01027061
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01027082
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 010270A3
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 010270C4
                                            • FindClose.KERNEL32(000000FF,?,?,?,00000000,?,00000000), ref: 010270F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLast$AttributesFindMove$Temp_memset$CloseDeleteDirectoryFirstNameNextPathRemove
                                            • String ID: *.*$DEL$dirutil.cpp
                                            • API String ID: 4152325254-1252831301
                                            • Opcode ID: 64ebd5d4eb702489c30035f326a37cacbac8c10dd2e4e3195f8a2ac098f3c765
                                            • Instruction ID: 272942e91a8d893854c4d4b1f4b2b486d52a60ec2a20d9c591f3e93377d76fcd
                                            • Opcode Fuzzy Hash: 64ebd5d4eb702489c30035f326a37cacbac8c10dd2e4e3195f8a2ac098f3c765
                                            • Instruction Fuzzy Hash: BAB1D876A00229DADB715E38CC48F9A7BB6AF90710F2541E5FA98D6140EF3BC995CF10
                                            Function 00FF1B46 Relevance: 42.3, APIs: 7, Strings: 17, Instructions: 253COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1387 ff1b46-ff1be0 call 10184d0 * 2 call ff1033 1394 ff1bec-ff1c0e call 10200ba call ffe1b3 CoInitializeEx 1387->1394 1395 ff1be2-ff1be7 1387->1395 1406 ff1c1a-ff1c3f GetModuleHandleW call 101f6f4 call 102376a 1394->1406 1407 ff1c10-ff1c15 1394->1407 1396 ff1d87-ff1d8f call 1020126 1395->1396 1402 ff1e3c-ff1e42 1396->1402 1404 ff1e4f-ff1e51 1402->1404 1405 ff1e44-ff1e4a call 1020887 1402->1405 1410 ff1e73-ff1e95 call ffb7bb call 1008e05 call 10078aa 1404->1410 1411 ff1e53-ff1e59 1404->1411 1405->1404 1420 ff1c4b-ff1c5e call 1024328 1406->1420 1421 ff1c41-ff1c46 1406->1421 1407->1396 1429 ff1ece-ff1edf call ff10dc 1410->1429 1430 ff1e97-ff1e9d 1410->1430 1411->1410 1412 ff1e5b-ff1e6e call 101ff4b 1411->1412 1412->1410 1427 ff1c6a-ff1c7d call 10253d2 1420->1427 1428 ff1c60-ff1c65 1420->1428 1421->1396 1439 ff1c7f-ff1c84 1427->1439 1440 ff1c89-ff1ca8 GetVersionExW 1427->1440 1428->1396 1437 ff1ee6-ff1eec 1429->1437 1438 ff1ee1 call 1025430 1429->1438 1430->1429 1433 ff1e9f-ff1ea6 1430->1433 1433->1429 1436 ff1ea8-ff1ec9 call 1001a9f call ff1566 1433->1436 1436->1429 1443 ff1eee call 1024435 1437->1443 1444 ff1ef3-ff1ef9 1437->1444 1438->1437 1439->1396 1445 ff1caa-ff1cb2 GetLastError 1440->1445 1446 ff1ce0-ff1cf7 call 102202c 1440->1446 1443->1444 1450 ff1efb call 10237b2 1444->1450 1451 ff1f00-ff1f06 1444->1451 1452 ff1cbe-ff1cc2 1445->1452 1453 ff1cb4-ff1cb9 1445->1453 1463 ff1cfe-ff1d36 call ff1566 1446->1463 1464 ff1cf9 1446->1464 1450->1451 1457 ff1f0e 1451->1457 1458 ff1f08 CoUninitialize 1451->1458 1459 ff1cc9-ff1cdb call 1022f06 1452->1459 1460 ff1cc4 1452->1460 1453->1452 1458->1457 1459->1396 1460->1459 1468 ff1d49-ff1d5a call ffd76d 1463->1468 1469 ff1d38-ff1d43 call 1020887 1463->1469 1464->1463 1474 ff1d5c-ff1d61 1468->1474 1475 ff1d63-ff1d6b 1468->1475 1469->1468 1474->1396 1476 ff1df7-ff1e16 call ff18b9 1475->1476 1477 ff1d71-ff1d72 1475->1477 1487 ff1e18-ff1e1d 1476->1487 1488 ff1e22-ff1e36 1476->1488 1478 ff1dd8-ff1de5 call ff157c 1477->1478 1479 ff1d74-ff1d75 1477->1479 1485 ff1dea-ff1dee 1478->1485 1482 ff1d77-ff1d78 1479->1482 1483 ff1db0-ff1dcf call ff1af3 1479->1483 1482->1483 1486 ff1d7a-ff1d7b 1482->1486 1483->1488 1494 ff1dd1-ff1dd6 1483->1494 1485->1488 1491 ff1df0-ff1df5 1485->1491 1492 ff1d7d-ff1d82 1486->1492 1493 ff1d94-ff1da7 call ff1226 1486->1493 1487->1396 1488->1402 1491->1396 1492->1396 1493->1488 1497 ff1da9-ff1dae 1493->1497 1494->1396 1497->1396
                                            APIs
                                            • _memset.LIBCMT ref: 00FF1BA5
                                            • _memset.LIBCMT ref: 00FF1BC9
                                              • Part of subcall function 00FF1033: InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00FF1057
                                              • Part of subcall function 00FF1033: InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00FF1060
                                              • Part of subcall function 00FF1033: GetCurrentProcess.KERNEL32(00000000,?,?,?,0000011C), ref: 00FF107E
                                            • CoInitializeEx.COMBASE(00000000,00000000,00000003,00000000), ref: 00FF1C04
                                            • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FF1F08
                                              • Part of subcall function 00FF1226: CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00FF12AC
                                              • Part of subcall function 00FF157C: ReleaseMutex.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00FF174B
                                              • Part of subcall function 00FF157C: CloseHandle.KERNEL32(00000000,?,?,?,00FF1DEA,?,?), ref: 00FF1754
                                              • Part of subcall function 00FF18B9: IsWindow.USER32(?), ref: 00FF1AC3
                                              • Part of subcall function 00FF18B9: PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FF1AD6
                                              • Part of subcall function 00FF18B9: CloseHandle.KERNEL32(00000000,?,?,?,00FF1E12,?), ref: 00FF1AE5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandleInitialize$CriticalSection_memset$CurrentMessageMutexPostProcessReleaseUninitializeWindow
                                            • String ID: 3.7.3424.0$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Invalid run mode.$Setup$_Failed$engine.cpp$txt
                                            • API String ID: 3466682788-859551277
                                            • Opcode ID: 0104e082b3972c96d0df3374a73516b522f4bc466df21c4cefd3c3b1c42855d7
                                            • Instruction ID: 2373b23a70ddfc0292efa7af55aca696bfc03a835e06de2e72e1de97daf57d2f
                                            • Opcode Fuzzy Hash: 0104e082b3972c96d0df3374a73516b522f4bc466df21c4cefd3c3b1c42855d7
                                            • Instruction Fuzzy Hash: 959180B2D4022DDBCF30AF64CC80AFDB6B5BF58314F5400EAE648A7220DA755E81AF55
                                            Function 01027BC4 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 184encryptionfileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1805 1027bc4-1027c48 call 101ef60 call 10184d0 CryptAcquireContextW 1810 1027c74-1027c8e CryptCreateHash 1805->1810 1811 1027c4a-1027c52 GetLastError 1805->1811 1812 1027c90-1027c98 GetLastError 1810->1812 1813 1027cba-1027cc1 1810->1813 1814 1027c54-1027c59 1811->1814 1815 1027c5e-1027c62 1811->1815 1818 1027ca4-1027ca8 1812->1818 1819 1027c9a-1027c9f 1812->1819 1820 1027cf1-1027d0a ReadFile 1813->1820 1814->1815 1816 1027c64 1815->1816 1817 1027c69-1027c6f 1815->1817 1816->1817 1821 1027df1-1027df6 call 1022f06 1817->1821 1822 1027caa 1818->1822 1823 1027caf-1027cb5 1818->1823 1819->1818 1824 1027cc3-1027ccc 1820->1824 1825 1027d0c-1027d14 GetLastError 1820->1825 1835 1027dfb-1027e03 1821->1835 1822->1823 1823->1821 1827 1027d36-1027d50 CryptGetHashParam 1824->1827 1828 1027cce-1027ce9 CryptHashData 1824->1828 1829 1027d20-1027d24 1825->1829 1830 1027d16-1027d1b 1825->1830 1833 1027d52-1027d5a GetLastError 1827->1833 1834 1027d79-1027d7f 1827->1834 1836 1027cef 1828->1836 1837 1027dcc-1027dd4 GetLastError 1828->1837 1831 1027d26 1829->1831 1832 1027d2b-1027d31 1829->1832 1830->1829 1831->1832 1832->1821 1840 1027d66-1027d6a 1833->1840 1841 1027d5c-1027d61 1833->1841 1834->1835 1844 1027d81-1027da3 SetFilePointerEx 1834->1844 1842 1027e11-1027e17 1835->1842 1843 1027e05-1027e0b CryptDestroyHash 1835->1843 1836->1820 1838 1027de0-1027de4 1837->1838 1839 1027dd6-1027ddb 1837->1839 1845 1027de6 1838->1845 1846 1027deb-1027dec 1838->1846 1839->1838 1847 1027d71-1027d77 1840->1847 1848 1027d6c 1840->1848 1841->1840 1849 1027e26-1027e36 call 101854a 1842->1849 1850 1027e19-1027e20 CryptReleaseContext 1842->1850 1843->1842 1844->1835 1851 1027da5-1027dad GetLastError 1844->1851 1845->1846 1846->1821 1847->1821 1848->1847 1850->1849 1853 1027db9-1027dbd 1851->1853 1854 1027daf-1027db4 1851->1854 1856 1027dc4-1027dca 1853->1856 1857 1027dbf 1853->1857 1854->1853 1856->1821 1857->1856
                                            APIs
                                            • _memset.LIBCMT ref: 01027C1B
                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000000,F0000040,00000000,?,00000000,00000000,?,?,01009C26,00000000,?,?,00000000), ref: 01027C40
                                            • GetLastError.KERNEL32(?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 01027C4A
                                            • CryptCreateHash.ADVAPI32(?,?,00000000,00000000,?,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000), ref: 01027C86
                                            • GetLastError.KERNEL32(?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 01027C90
                                            • CryptHashData.ADVAPI32(?,?,?,00000000,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?), ref: 01027CE1
                                            • ReadFile.KERNELBASE(?,?,00001000,?,00000000,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000), ref: 01027D06
                                            • GetLastError.KERNEL32(?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 01027D0C
                                            • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000), ref: 01027D48
                                            • GetLastError.KERNEL32(?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 01027D52
                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,00000001,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000), ref: 01027D9B
                                            • GetLastError.KERNEL32(?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 01027DA5
                                            • GetLastError.KERNEL32(?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 01027DCC
                                            • CryptDestroyHash.ADVAPI32(?,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 01027E0B
                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000), ref: 01027E20
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CryptErrorLast$Hash$ContextFile$AcquireCreateDataDestroyParamPointerReadRelease_memset
                                            • String ID: cryputil.cpp
                                            • API String ID: 961722652-2185294990
                                            • Opcode ID: d3851869d800db9776d910af0f7ba949b6873f2c8f621cf330ca2edf36286e68
                                            • Instruction ID: d3f082c1236aeff82a4909b0db518237e683c68066c0f1afd72f0387e472d18b
                                            • Opcode Fuzzy Hash: d3851869d800db9776d910af0f7ba949b6873f2c8f621cf330ca2edf36286e68
                                            • Instruction Fuzzy Hash: 0D51CA72A0026AEBEB325E65CC84BFA7BB8AB18740F1000B9F6C9D5151D7B98DC49F50
                                            Function 01009065 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 112filestringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0100909E
                                            • FindFirstFileW.KERNEL32(?,?,?,*.*,?,?,.unverified,?,?,?), ref: 01009117
                                            • lstrlenW.KERNEL32(?,?,?), ref: 0100913E
                                            • FindNextFileW.KERNEL32(00000000,00000010,?,?), ref: 010091A0
                                            • FindClose.KERNEL32(00000000,?,?), ref: 010091AF
                                              • Part of subcall function 01026CB2: _memset.LIBCMT ref: 01026D27
                                              • Part of subcall function 01026CB2: _memset.LIBCMT ref: 01026D35
                                              • Part of subcall function 01026CB2: GetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,00000000), ref: 01026D3E
                                              • Part of subcall function 01026CB2: GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01026D59
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FileFind_memset$AttributesCloseErrorFirstLastNextlstrlen
                                            • String ID: *.*$.unverified
                                            • API String ID: 2873512992-2528915496
                                            • Opcode ID: 6f74fb4bd71a54a8e2837e553cd48eadbb13ed2aea827b507c20766af55da9c7
                                            • Instruction ID: 15574d398c429e16d058b2e4ce8a279da75ef10f1219af1bf3365ffe5e5b5e00
                                            • Opcode Fuzzy Hash: 6f74fb4bd71a54a8e2837e553cd48eadbb13ed2aea827b507c20766af55da9c7
                                            • Instruction Fuzzy Hash: 80419671A0062D9AEB61AF94DC4CBEEB7B8AF44305F5001E9E98CA1091DB759EC0CF54
                                            Function 0101F835 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136threadtimeCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(01047E3C,00000000,00000000,00000000), ref: 0101F86B
                                            • GetCurrentProcessId.KERNEL32 ref: 0101F87A
                                            • GetCurrentThreadId.KERNEL32 ref: 0101F883
                                            • GetLocalTime.KERNEL32(?), ref: 0101F899
                                            • LeaveCriticalSection.KERNEL32(01047E3C,?,?,00000000,0000FDE9), ref: 0101F993
                                            Strings
                                            • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 0101F938
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                            • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                            • API String ID: 296830338-59366893
                                            • Opcode ID: 2c4e9e4a40884cff42c7792b6c3e15900aae4e158feeac80a324727d9e5f5801
                                            • Instruction ID: 8c74250c5e0470c19448616bf52f5645824b985954a4a1f7cad3f146761f8008
                                            • Opcode Fuzzy Hash: 2c4e9e4a40884cff42c7792b6c3e15900aae4e158feeac80a324727d9e5f5801
                                            • Instruction Fuzzy Hash: 91418676D0021AAFDF20AFD9C8849BEB7B6AF4C315B14402AFA81E7258D73D9D45C760
                                            Function 0101F9C6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FormatMessageW.KERNEL32(00000900,00000000,?,00000000,?,00000000,?,00000000,00000000,?,0101FB87,00000000,?,00000000,?,00000001), ref: 0101F9E5
                                            • GetLastError.KERNEL32(?,0101FB87,00000000,?,00000000,?,00000001,?,00FF157A,00000000,00000000,00000000,?,?,01009D5B,00000002), ref: 0101F9EF
                                            • LocalFree.KERNEL32(00000000,00000000,?,00000000,?,0101FB87,00000000,?,00000000,?,00000001,?,00FF157A,00000000,00000000,00000000), ref: 0101FA5A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFormatFreeLastLocalMessage
                                            • String ID: logutil.cpp
                                            • API String ID: 1365068426-3545173039
                                            • Opcode ID: 09625a4df59145c3a2c5970f2c5b772d9ef6f08b96e4f93ac91a053101be38cc
                                            • Instruction ID: 9e290bf3ab2ca17c1149b97c0a251dc45de1814fc3832d5eff317c8829b35442
                                            • Opcode Fuzzy Hash: 09625a4df59145c3a2c5970f2c5b772d9ef6f08b96e4f93ac91a053101be38cc
                                            • Instruction Fuzzy Hash: B411BC7620020BEBDB22CE98C841EAE3BB9EB85710F644065F54196065E73A9A55D720
                                            Function 0102726D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CLSIDFromProgID.COMBASE(Microsoft.Update.AutoUpdate,00FF1DEA,00000000,00FF1DEA,?,?), ref: 01027290
                                            • CoCreateInstance.OLE32(00000000,00000000,00000001,01042978,00000000), ref: 010272A9
                                            Strings
                                            • Microsoft.Update.AutoUpdate, xrefs: 0102728B
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateFromInstanceProg
                                            • String ID: Microsoft.Update.AutoUpdate
                                            • API String ID: 2151042543-675569418
                                            • Opcode ID: c5236a02e4682350ea1952141257f87118e697ee9078b873c6b4c14944d79378
                                            • Instruction ID: 8de9f3a192844f24a6210f00423f305dc3b1e346842b4eaa3f2a1313ce4136ba
                                            • Opcode Fuzzy Hash: c5236a02e4682350ea1952141257f87118e697ee9078b873c6b4c14944d79378
                                            • Instruction Fuzzy Hash: B8F03071750209BFEB10DBB9D986EEFB7B8EB48604F500035FA42E6154DA75AA048762
                                            Function 01025D1F Relevance: 4.5, APIs: 3, Instructions: 43fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 01025D4A
                                            • FindFirstFileW.KERNELBASE(00000000,?,00000000,?,80070002), ref: 01025D5A
                                            • FindClose.KERNEL32(00000000), ref: 01025D66
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst_memset
                                            • String ID:
                                            • API String ID: 3141757445-0
                                            • Opcode ID: 2d593f88ca4c3f79a0a697572a4742340d1524dd9535b24d9aed79a261e8c5f8
                                            • Instruction ID: 51536c9df4354f59d3c383c9d2a53d11d7e6bad8d72018ea16600152a78e9514
                                            • Opcode Fuzzy Hash: 2d593f88ca4c3f79a0a697572a4742340d1524dd9535b24d9aed79a261e8c5f8
                                            • Instruction Fuzzy Hash: AE01F972A006199FD730EEACDCC88EEF3BCEB58319F100166E985D3180D638AE498754
                                            Function 010228F3 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                            • RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateProcess
                                            • String ID:
                                            • API String ID: 1357844191-0
                                            • Opcode ID: a4e69d1e7304eaf0b6fdb08d5f9ab75565fac95099c539f0258739962d20ddbd
                                            • Instruction ID: 683dde85ab511d4460cf4070af0a5f10dae2233b3369564b920d91f62706f7ca
                                            • Opcode Fuzzy Hash: a4e69d1e7304eaf0b6fdb08d5f9ab75565fac95099c539f0258739962d20ddbd
                                            • Instruction Fuzzy Hash: F4C012321A0208A78F105EF8DC09C85379CA7146127108400F945C2000C63DE0508B60
                                            Function 00FFC7F3 Relevance: 211.0, APIs: 57, Strings: 63, Instructions: 1021stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CommandLineToArgvW.SHELL32(00FF2142,00FF2146,00FF2142,?,00000000,00FF2142,ignored ,00000000,00000000,00FF1D56,00FF2142,00FF2146,00FF1E8E,00FF2222,00FF1F0E,00000000), ref: 00FFC864
                                            • GetLastError.KERNEL32 ref: 00FFC871
                                            • CompareStringW.KERNELBASE(0000007F,00000001,00FF1E8C,000000FF,01032BBC,000000FF,00FF21DE,00000000,00FF1D56,00FF2142,00FF2146,00FF1E8E,00FF2222,00FF1F0E,00000000,?), ref: 00FFC8F5
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,log,000000FF), ref: 00FFC911
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,01032BB0,000000FF), ref: 00FFC92D
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,01032BAC,000000FF), ref: 00FFC949
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,help,000000FF), ref: 00FFC965
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,01032B9C,000000FF), ref: 00FFC981
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,quiet,000000FF), ref: 00FFC99D
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,01032B8C,000000FF), ref: 00FFC9B9
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,silent,000000FF), ref: 00FFC9D5
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,passive,000000FF), ref: 00FFC9F1
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,norestart,000000FF), ref: 00FFCA29
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,forcerestart,000000FF), ref: 00FFCA50
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,promptrestart,000000FF), ref: 00FFCA77
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,000000FF,layout,000000FF), ref: 00FFCA9A
                                            • lstrlenW.KERNEL32(00000000), ref: 00FFD0FC
                                            • lstrlenW.KERNEL32(burn.), ref: 00FFD109
                                            • lstrlenW.KERNEL32(burn.), ref: 00FFD11D
                                            • lstrlenW.KERNEL32(burn.,burn.,00000000), ref: 00FFD126
                                            • CompareStringW.KERNEL32(0000007F,00000001,00000000,00000000), ref: 00FFD139
                                            • LocalFree.KERNEL32(00000000,00000000,00FF1D56,00FF2142,00FF2146), ref: 00FFD21C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString$lstrlen$ArgvCommandErrorFreeLastLineLocal
                                            • String ID: Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to copy append log file path.$Failed to copy command line.$Failed to copy last used source.$Failed to copy log file path.$Failed to copy parent.$Failed to copy path for layout directory.$Failed to get command line.$Failed to initialize command line.$Failed to initialize parent to none.$Failed to parse elevated connection.$Failed to parse embedded connection.$Failed to parse unelevated connection.$Missing required parameter for switch: %ls$Must specify a path for append log.$Must specify a path for log.$Must specify a path for original source.$Must specify a value for parent.$Must specify the elevated name, token and parent process id.$Must specify the embedded name, token and parent process id.$Must specify the unelevated name, token and parent process id.$burn.$burn.ancestors$burn.disable.unelevate$burn.elevated$burn.embedded$burn.embedded.async$burn.ignoredependencies$burn.log.append$burn.passthrough$burn.related.addon$burn.related.detect$burn.related.patch$burn.related.update$burn.related.upgrade$burn.runonce$burn.unelevated$cache$core.cpp$disablesystemrestore$forcerestart$help$ignored $keepaupaused$layout$log$modify$noaupause$norestart$originalsource$package$parallelcacheandexecute$parent$parent:none$passive$promptrestart$quiet$repair$serialcacheandexecute$silent$uninstall$update
                                            • API String ID: 1440157973-175168873
                                            • Opcode ID: 9f786616cbb42a367b7233905c36b73130c2b0f1e257f87c702755bc1d97e38a
                                            • Instruction ID: 6ab11fb840d8678176e4c2178cc4847b0cf5d7ca813340a0b22dc9dcd4a112d6
                                            • Opcode Fuzzy Hash: 9f786616cbb42a367b7233905c36b73130c2b0f1e257f87c702755bc1d97e38a
                                            • Instruction Fuzzy Hash: 28729271B4421DBBEB209E84CC81F7937A5AF51774F340669F6A0EF2E0D6B09D81AB50
                                            Function 00FF621F Relevance: 112.4, APIs: 3, Strings: 61, Instructions: 434COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 237 ff621f-ff6251 call 10254b6 240 ff6255-ff6257 237->240 241 ff6253 237->241 242 ff6259-ff625e 240->242 243 ff6263-ff627b call 1025a1a 240->243 241->240 244 ff6744-ff674b call 1020126 242->244 248 ff627d-ff6282 243->248 249 ff6287-ff629c call 1025a1a 243->249 252 ff674c-ff6751 244->252 248->244 258 ff629e-ff62a3 249->258 259 ff62a8-ff62b4 call ff5bc5 249->259 254 ff6759-ff675e 252->254 255 ff6753-ff6755 252->255 256 ff6766-ff676b 254->256 257 ff6760-ff6762 254->257 255->254 260 ff676d-ff676f 256->260 261 ff6773-ff6777 256->261 257->256 258->244 267 ff62b6-ff62bb 259->267 268 ff62c0-ff62d5 call 1025a1a 259->268 260->261 263 ff6779-ff677c call 1020887 261->263 264 ff6781-ff6787 261->264 263->264 267->244 271 ff62d7-ff62dc 268->271 272 ff62e1-ff62f3 call 102636e 268->272 271->244 275 ff62f5-ff62fd 272->275 276 ff6302-ff6317 call 1025a1a 272->276 277 ff65ce-ff65d7 call 1020126 275->277 281 ff6319-ff631e 276->281 282 ff6323-ff6338 call 1025a1a 276->282 277->252 281->244 286 ff633a-ff633f 282->286 287 ff6344-ff6356 call 1025aec 282->287 286->244 290 ff6358-ff635d 287->290 291 ff6362-ff6378 call 10254b6 287->291 290->244 294 ff637e-ff6380 291->294 295 ff6628-ff6642 call ff58d8 291->295 296 ff638c-ff63a1 call 1025aec 294->296 297 ff6382-ff6387 294->297 302 ff664e-ff6664 call 10254b6 295->302 303 ff6644-ff6649 295->303 304 ff63ad-ff63c2 call 1025a1a 296->304 305 ff63a3-ff63a8 296->305 297->244 310 ff666a-ff666c 302->310 311 ff6732-ff6734 call ff5aaf 302->311 303->244 312 ff63c4-ff63c6 304->312 313 ff63d2-ff63e7 call 1025a1a 304->313 305->244 314 ff666e-ff6673 310->314 315 ff6678-ff669a call 1025a1a 310->315 320 ff6739-ff673d 311->320 312->313 317 ff63c8-ff63cd 312->317 326 ff63e9-ff63eb 313->326 327 ff63f7-ff640c call 1025a1a 313->327 314->244 324 ff669c-ff66a1 315->324 325 ff66a6-ff66be call 1025a1a 315->325 317->244 320->252 323 ff673f 320->323 323->244 324->244 333 ff66cb-ff66e3 call 1025a1a 325->333 334 ff66c0-ff66c2 325->334 326->327 329 ff63ed-ff63f2 326->329 335 ff640e-ff6410 327->335 336 ff641c-ff6431 call 1025a1a 327->336 329->244 343 ff66e5-ff66e7 333->343 344 ff66f0-ff6708 call 1025a1a 333->344 334->333 337 ff66c4-ff66c9 334->337 335->336 339 ff6412-ff6417 335->339 345 ff6433-ff6435 336->345 346 ff6441-ff6456 call 1025a1a 336->346 337->244 339->244 343->344 350 ff66e9-ff66ee 343->350 353 ff670a-ff670f 344->353 354 ff6711-ff6729 call 1025a1a 344->354 345->346 348 ff6437-ff643c 345->348 355 ff6458-ff645a 346->355 356 ff6466-ff647b call 1025a1a 346->356 348->244 350->244 353->244 354->311 362 ff672b-ff6730 354->362 355->356 358 ff645c-ff6461 355->358 363 ff647d-ff647f 356->363 364 ff648b-ff64a0 call 1025a1a 356->364 358->244 362->244 363->364 365 ff6481-ff6486 363->365 368 ff64a2-ff64a4 364->368 369 ff64b0-ff64c5 call 1025a1a 364->369 365->244 368->369 371 ff64a6-ff64ab 368->371 373 ff64c7-ff64c9 369->373 374 ff64d5-ff64ed call 1025a1a 369->374 371->244 373->374 375 ff64cb-ff64d0 373->375 378 ff64ef-ff64f1 374->378 379 ff64fd-ff6515 call 1025a1a 374->379 375->244 378->379 380 ff64f3-ff64f8 378->380 383 ff6517-ff6519 379->383 384 ff6525-ff653a call 1025a1a 379->384 380->244 383->384 386 ff651b-ff6520 383->386 388 ff65dc-ff65de 384->388 389 ff6540-ff6559 CompareStringW 384->389 386->244 392 ff65e8-ff65ea 388->392 393 ff65e0-ff65e2 388->393 390 ff655b-ff6561 389->390 391 ff6566-ff657f CompareStringW 389->391 390->392 396 ff658d-ff65a6 CompareStringW 391->396 397 ff6581-ff658b 391->397 394 ff65ec-ff65f1 392->394 395 ff65f6-ff660e call 1025aec 392->395 393->392 394->244 395->295 403 ff6610-ff6612 395->403 399 ff65a8-ff65af 396->399 400 ff65b1-ff65c9 call 1022f06 396->400 397->392 399->392 400->277 405 ff661e 403->405 406 ff6614-ff6619 403->406 405->295 406->244
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: StringVariant$AllocClearFreeInit
                                            • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$registration.cpp$yes
                                            • API String ID: 760788290-2956246334
                                            • Opcode ID: 17ecbd5c43b27bdf8075cae04e944e4ddf8ef68444b8f5f86408276f6cd66e55
                                            • Instruction ID: 038d7c7f382d7dac68b9c131db33d20cbbb13980292588e0a4f4a64a07c60d4a
                                            • Opcode Fuzzy Hash: 17ecbd5c43b27bdf8075cae04e944e4ddf8ef68444b8f5f86408276f6cd66e55
                                            • Instruction Fuzzy Hash: BCD10B3368072DBACB12EA51CC86FBE767AEF50710F244429F699EB264DF71A9017710
                                            Function 00FF20A7 Relevance: 96.8, APIs: 28, Strings: 27, Instructions: 576fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 407 ff20a7-ff2142 call 10184d0 * 2 call 102202c 414 ff2156-ff2179 CreateFileW 407->414 415 ff2144 407->415 417 ff217b-ff2183 GetLastError 414->417 418 ff21c0-ff21db SetFilePointerEx 414->418 416 ff2149-ff2151 call 1020126 415->416 438 ff25de-ff25e5 416->438 422 ff218f-ff2193 417->422 423 ff2185-ff218a 417->423 419 ff21dd-ff21e5 GetLastError 418->419 420 ff2213-ff222e ReadFile 418->420 426 ff21e7-ff21ec 419->426 427 ff21f1-ff21f5 419->427 429 ff2266-ff226d 420->429 430 ff2230-ff2238 GetLastError 420->430 424 ff219a-ff21bb call 1022f06 call 1020126 422->424 425 ff2195 422->425 423->422 424->438 425->424 426->427 436 ff21fc-ff220e call 1022f06 427->436 437 ff21f7 427->437 434 ff226f-ff2278 429->434 435 ff227a-ff228c call 1022f06 429->435 431 ff223a-ff223f 430->431 432 ff2244-ff2248 430->432 431->432 439 ff224f-ff225c call 1022f06 432->439 440 ff224a 432->440 434->435 444 ff2296-ff22a6 SetFilePointerEx 434->444 435->444 436->416 437->436 442 ff25e7-ff25ed call 1020887 438->442 443 ff25f2-ff2602 call 101854a 438->443 439->429 440->439 442->443 453 ff22de-ff22f6 ReadFile 444->453 454 ff22a8-ff22b0 GetLastError 444->454 457 ff232e-ff2335 453->457 458 ff22f8-ff2300 GetLastError 453->458 460 ff22bc-ff22c0 454->460 461 ff22b2-ff22b7 454->461 462 ff2337-ff2341 457->462 463 ff2343-ff2355 call 1022f06 457->463 466 ff230c-ff2310 458->466 467 ff2302-ff2307 458->467 464 ff22c7-ff22d4 call 1022f06 460->464 465 ff22c2 460->465 461->460 462->463 468 ff235f-ff2382 SetFilePointerEx 462->468 463->468 464->453 465->464 471 ff2317-ff2324 call 1022f06 466->471 472 ff2312 466->472 467->466 475 ff23ba-ff23d2 ReadFile 468->475 476 ff2384-ff238c GetLastError 468->476 471->457 472->471 481 ff240a-ff2422 ReadFile 475->481 482 ff23d4-ff23dc GetLastError 475->482 478 ff238e-ff2393 476->478 479 ff2398-ff239c 476->479 478->479 487 ff239e 479->487 488 ff23a3-ff23b0 call 1022f06 479->488 485 ff245d-ff2477 SetFilePointerEx 481->485 486 ff2424-ff242c GetLastError 481->486 483 ff23de-ff23e3 482->483 484 ff23e8-ff23ec 482->484 483->484 491 ff23ee 484->491 492 ff23f3-ff2400 call 1022f06 484->492 489 ff2479-ff2481 GetLastError 485->489 490 ff24b2-ff24d1 ReadFile 485->490 493 ff242e-ff2433 486->493 494 ff2438-ff243c 486->494 487->488 488->475 496 ff248d-ff2491 489->496 497 ff2483-ff2488 489->497 499 ff2548-ff2550 GetLastError 490->499 500 ff24d3 490->500 491->492 492->481 493->494 501 ff243e 494->501 502 ff2443-ff2453 call 1022f06 494->502 506 ff2498-ff24a8 call 1022f06 496->506 507 ff2493 496->507 497->496 504 ff255c-ff2560 499->504 505 ff2552-ff2557 499->505 509 ff24dd-ff24e4 500->509 501->502 502->485 511 ff2567-ff257d call 1022f06 504->511 512 ff2562 504->512 505->504 506->490 507->506 514 ff24ea-ff24fc 509->514 515 ff2587-ff25a2 call 1022f06 509->515 511->515 512->511 520 ff24fe-ff2500 514->520 521 ff2503-ff2505 514->521 527 ff25ac-ff25cc call 1022f06 call 1020126 515->527 520->521 524 ff250b-ff2518 521->524 525 ff2605-ff260c 521->525 526 ff251e-ff2546 ReadFile 524->526 524->527 528 ff260e-ff2629 call 1022f06 525->528 529 ff2633-ff2646 call 10228f3 525->529 526->499 526->509 543 ff25d2-ff25d6 527->543 528->529 537 ff2648-ff265d call 1022f06 529->537 538 ff2667-ff267d SetFilePointerEx 529->538 537->538 541 ff267f-ff2687 GetLastError 538->541 542 ff26be-ff26e6 ReadFile 538->542 547 ff2689-ff268e 541->547 548 ff2693-ff2697 541->548 544 ff271e-ff272a 542->544 545 ff26e8-ff26f0 GetLastError 542->545 543->438 549 ff25d8-ff25d9 call 1022aae 543->549 552 ff272c-ff2746 call 1022f06 544->552 553 ff274b-ff274f 544->553 550 ff26fc-ff2700 545->550 551 ff26f2-ff26f7 545->551 547->548 554 ff269e-ff26ae call 1022f06 548->554 555 ff2699 548->555 549->438 557 ff2707-ff271c call 1022f06 550->557 558 ff2702 550->558 551->550 571 ff26b3-ff26b9 call 1020126 552->571 561 ff2779-ff278b call 1025cb9 553->561 562 ff2751-ff2774 call 1022f06 call 1020126 553->562 554->571 555->554 557->571 558->557 574 ff278d-ff2792 561->574 575 ff2797-ff27a2 561->575 580 ff2855-ff2858 562->580 571->543 574->571 578 ff27a9-ff27b1 575->578 579 ff27a4-ff27a7 575->579 582 ff27b3 578->582 583 ff27c0-ff27c5 578->583 581 ff27b9-ff27be 579->581 584 ff27c8-ff2823 call 10228f3 581->584 582->581 583->584 587 ff2825-ff283a call 1022f06 584->587 588 ff2844-ff2850 call 1018560 584->588 587->588 588->580
                                            APIs
                                            • _memset.LIBCMT ref: 00FF20EB
                                            • _memset.LIBCMT ref: 00FF20FD
                                              • Part of subcall function 0102202C: GetModuleFileNameW.KERNEL32(00FF213E,?,00000104,?,00000104,?,00000000,?,?,00FF213E,?,00000000,?,?,?,76EEC3F0), ref: 0102204D
                                            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000,?,?,?,76EEC3F0,?,00000000), ref: 00FF216E
                                            • GetLastError.KERNEL32(?,?,?,76EEC3F0,?,00000000), ref: 00FF217B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: File_memset$CreateErrorLastModuleName
                                            • String ID: ($.wixburn$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get path to engine process.$Failed to get total size of bundle.$Failed to open handle to engine process path: %ls$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$section.cpp
                                            • API String ID: 3151910114-3305245485
                                            • Opcode ID: b744ee3cd16b84d088dbfa292616c55160cf0d424d86208b8cec47aa9991d92c
                                            • Instruction ID: a884b86edda46d29f2dd1070ceb01c2a63ee93012fd09f5bdb4b6b3bf1f0deea
                                            • Opcode Fuzzy Hash: b744ee3cd16b84d088dbfa292616c55160cf0d424d86208b8cec47aa9991d92c
                                            • Instruction Fuzzy Hash: 36120872E4023AABDB709E65CC45FFA7774AF00710F1401A9FA48FE1A0EA799D409F95
                                            Function 00FF6C39 Relevance: 82.7, APIs: 1, Strings: 46, Instructions: 444registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 592 ff6c39-ff6c6e call 1001882 call ff1566 597 ff6ca3-ff6cbb call 1023cda 592->597 598 ff6c70-ff6c82 call 1009e25 592->598 603 ff6ccf-ff6cd4 597->603 604 ff6cbd-ff6cca call 1020126 597->604 602 ff6c87-ff6c8b 598->602 602->597 605 ff6c8d-ff6c9e call 1020126 602->605 607 ff70ee-ff70f2 603->607 608 ff6cda-ff6cef call 1024111 603->608 615 ff7179-ff717d 604->615 605->615 613 ff713f-ff7143 607->613 614 ff70f4-ff7103 607->614 623 ff712e-ff713d call 1020126 608->623 624 ff6cf5-ff6d0d call 10241f9 608->624 616 ff7158-ff7160 call ff689b 613->616 617 ff7145-ff7146 call 100fdd6 613->617 614->613 619 ff7105 614->619 620 ff717f-ff7182 call 1020887 615->620 621 ff7187-ff718b 615->621 636 ff7165-ff7169 616->636 633 ff714b-ff714f 617->633 625 ff7107-ff7109 619->625 626 ff7116 619->626 620->621 631 ff718d-ff7190 RegCloseKey 621->631 632 ff7196-ff719b 621->632 638 ff7178 623->638 624->623 647 ff6d13-ff6d2b call 10241f9 624->647 625->613 635 ff710b-ff710d 625->635 628 ff7119-ff7123 call 1023c39 626->628 646 ff7128-ff712c 628->646 631->632 633->616 641 ff7151-ff7156 633->641 635->628 643 ff710f 635->643 637 ff716b 636->637 636->638 645 ff7170-ff7177 call 1020126 637->645 638->615 641->645 643->626 644 ff7111-ff7114 643->644 644->626 644->628 645->638 646->613 646->623 647->623 652 ff6d31-ff6d49 call 10241f9 647->652 652->623 655 ff6d4f-ff6d67 call 10241f9 652->655 655->623 658 ff6d6d-ff6da9 call 10241b7 655->658 658->623 661 ff6daf-ff6db4 658->661 662 ff6dcf-ff6dd4 661->662 663 ff6db6-ff6dc0 call 1024111 661->663 665 ff6def-ff6e0e call 10241b7 662->665 666 ff6dd6-ff6de0 call 1024111 662->666 669 ff6dc5-ff6dc9 663->669 665->623 672 ff6e14-ff6e31 call 10241b7 665->672 670 ff6de5-ff6de9 666->670 669->623 669->662 670->623 670->665 672->623 675 ff6e37-ff6e4a call ff5b62 672->675 678 ff6e4f-ff6e62 call 1024111 675->678 679 ff6e4c 675->679 678->623 682 ff6e68-ff6e6d 678->682 679->678 683 ff6e6f-ff6e79 call 1024111 682->683 684 ff6e88-ff6e8d 682->684 688 ff6e7e-ff6e82 683->688 686 ff6e8f-ff6e99 call 1024111 684->686 687 ff6ea8-ff6ead 684->687 692 ff6e9e-ff6ea2 686->692 690 ff6eaf-ff6ec2 call 1024111 687->690 691 ff6ec8-ff6ecd 687->691 688->623 688->684 690->623 690->691 694 ff6ecf-ff6ee2 call 1024111 691->694 695 ff6ee8-ff6eed 691->695 692->623 692->687 694->623 694->695 696 ff6eef-ff6f02 call 1024111 695->696 697 ff6f08-ff6f0d 695->697 696->623 696->697 701 ff6f0f-ff6f22 call 1024111 697->701 702 ff6f28-ff6f2d 697->702 701->623 701->702 706 ff6f2f-ff6f42 call 1024111 702->706 707 ff6f63-ff6f6b 702->707 706->623 720 ff6f48-ff6f5d call 1024111 706->720 710 ff6f6d-ff6f80 call 1024111 707->710 711 ff6f86-ff6f8e 707->711 710->623 710->711 713 ff6fa9-ff6fb2 711->713 714 ff6f90-ff6fa3 call 1024111 711->714 718 ff7099-ff709c 713->718 719 ff6fb8-ff6fc3 call 1023c39 713->719 714->623 714->713 721 ff6fd2-ff6fd9 718->721 722 ff70a2-ff70b3 call 10241b7 718->722 727 ff6fc8-ff6fcc 719->727 720->623 720->707 728 ff6fdb-ff6ff3 call 1023c39 721->728 729 ff6ff9-ff6ffd 721->729 731 ff70b8-ff70bf 722->731 727->623 727->721 728->623 728->729 733 ff6fff-ff7013 call 1023c39 729->733 734 ff7019-ff7036 call 10241b7 729->734 731->623 736 ff70c1 731->736 733->623 733->734 734->623 742 ff703c-ff7048 734->742 741 ff70cb-ff70d2 736->741 741->607 743 ff70d4-ff70e2 call ff6aad 741->743 744 ff704f-ff7061 call 10241b7 742->744 745 ff704a 742->745 743->607 750 ff70e4-ff70e9 743->750 749 ff7066-ff706d 744->749 745->744 749->623 751 ff7073-ff707a 749->751 750->645 751->741 752 ff707c-ff708d call ff5ec7 751->752 752->741 755 ff708f-ff7094 752->755 755->645
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,F08B8007,057CF33B,00020006,00000000), ref: 00FF7190
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Close
                                            • String ID: /uninstall$"%ls" %ls$"%ls" /modify$"%ls" /uninstall /quiet$%hs$%hu.%hu.%hu.%hu$%s,0$/modify$3.7.3424.0$BundleAddonCode$BundleCachePath$BundleDetectCode$BundlePatchCode$BundleProviderKey$BundleTag$BundleUpgradeCode$BundleVersion$Comments$Contact$DisplayIcon$DisplayName$DisplayVersion$EngineVersion$EstimatedSize$Failed to cache bundle from path: %ls$Failed to create registration key.$Failed to register the bundle dependency key.$Failed to update resume mode.$Failed to write %ls value.$Failed to write software tags.$Failed to write update registration.$HelpLink$HelpTelephone$ModifyPath$NoElevateOnModify$NoModify$NoRemove$ParentDisplayName$ParentKeyName$Publisher$QuietUninstallString$SystemComponent$URLInfoAbout$URLUpdateInfo$UninstallString$engine.cpp
                                            • API String ID: 3535843008-3299706022
                                            • Opcode ID: 2f5b275a9567782269440791ba57814c8fd62971b305fd62800a8bc2c6e38a63
                                            • Instruction ID: 0db1979f09c123f8837b7c791b590b9a2d329392e002b78c7b816a6da54593ae
                                            • Opcode Fuzzy Hash: 2f5b275a9567782269440791ba57814c8fd62971b305fd62800a8bc2c6e38a63
                                            • Instruction Fuzzy Hash: 6CE1A63070471BABDB216AA5CD85FABBAFA9F64714F20002CFB84D6561DBB1DD18E710
                                            Function 01015B46 Relevance: 54.5, APIs: 20, Strings: 11, Instructions: 287synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 756 1015b46-1015b60 SetEvent 757 1015b62-1015b6a GetLastError 756->757 758 1015b9b-1015ba9 WaitForSingleObject 756->758 759 1015b76-1015b7a 757->759 760 1015b6c-1015b71 757->760 761 1015be4-1015bef ResetEvent 758->761 762 1015bab-1015bb3 GetLastError 758->762 765 1015b81-1015b96 call 1022f06 759->765 766 1015b7c 759->766 760->759 763 1015bf1-1015bf9 GetLastError 761->763 764 1015c2a-1015c2e 761->764 767 1015bb5-1015bba 762->767 768 1015bbf-1015bc3 762->768 771 1015c05-1015c09 763->771 772 1015bfb-1015c00 763->772 774 1015c30-1015c33 764->774 775 1015c5e-1015c74 call 1020e73 764->775 787 1015ed6-1015edd call 1020126 765->787 766->765 767->768 769 1015bc5 768->769 770 1015bca-1015bdf call 1022f06 768->770 769->770 770->787 778 1015c10-1015c25 call 1022f06 771->778 779 1015c0b 771->779 772->771 781 1015c35-1015c4f call 1022f06 774->781 782 1015c54-1015c59 774->782 792 1015c76-1015c87 call 1020126 775->792 793 1015c8c-1015c97 SetEvent 775->793 778->787 779->778 781->787 783 1015ede-1015ee5 782->783 789 1015ee7-1015eeb 783->789 790 1015eec-1015ef0 783->790 787->783 792->783 797 1015cc3-1015cd1 WaitForSingleObject 793->797 798 1015c99-1015ca1 GetLastError 793->798 800 1015cd3-1015cdb GetLastError 797->800 801 1015cfd-1015d08 ResetEvent 797->801 803 1015ca3-1015ca8 798->803 804 1015cad-1015cb1 798->804 805 1015ce7-1015ceb 800->805 806 1015cdd-1015ce2 800->806 807 1015d34-1015d39 801->807 808 1015d0a-1015d12 GetLastError 801->808 803->804 809 1015cb3 804->809 810 1015cb8-1015cb9 804->810 811 1015cf2-1015cf3 805->811 812 1015ced 805->812 806->805 815 1015d3b-1015d3c 807->815 816 1015d9e-1015dc1 CreateFileW 807->816 813 1015d14-1015d19 808->813 814 1015d1e-1015d22 808->814 809->810 810->797 811->801 812->811 813->814 817 1015d24 814->817 818 1015d29-1015d2a 814->818 821 1015d61-1015d65 call 10228f3 815->821 822 1015d3e-1015d3f 815->822 819 1015dc3-1015dcb GetLastError 816->819 820 1015dff-1015e13 SetFilePointerEx 816->820 817->818 818->807 828 1015dd7-1015ddb 819->828 829 1015dcd-1015dd2 819->829 825 1015e15-1015e1d GetLastError 820->825 826 1015e4e-1015e59 SetEndOfFile 820->826 833 1015d6a-1015d6f 821->833 823 1015d41-1015d42 822->823 824 1015d58-1015d5c 822->824 823->782 830 1015d48-1015d4e 823->830 824->783 831 1015e29-1015e2d 825->831 832 1015e1f-1015e24 825->832 834 1015e91-1015ea0 SetFilePointerEx 826->834 835 1015e5b-1015e63 GetLastError 826->835 836 1015de2-1015df5 call 1022f06 828->836 837 1015ddd 828->837 829->828 830->824 842 1015e34-1015e49 call 1022f06 831->842 843 1015e2f 831->843 832->831 840 1015d71-1015d8b call 1022f06 833->840 841 1015d90-1015d99 833->841 834->783 839 1015ea2-1015eaa GetLastError 834->839 844 1015e65-1015e6a 835->844 845 1015e6f-1015e73 835->845 836->820 837->836 849 1015eb6-1015eba 839->849 850 1015eac-1015eb1 839->850 840->787 841->783 842->787 843->842 844->845 846 1015e75 845->846 847 1015e7a-1015e8f call 1022f06 845->847 846->847 847->787 854 1015ec1-1015ed1 call 1022f06 849->854 855 1015ebc 849->855 850->849 854->787 855->854
                                            APIs
                                            • SetEvent.KERNEL32(?,?,?,?,?,01016370), ref: 01015B58
                                            • GetLastError.KERNEL32(?,?,?,01016370), ref: 01015B62
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,01016370), ref: 01015BA0
                                            • GetLastError.KERNEL32(?,?,?,01016370), ref: 01015BAB
                                            • ResetEvent.KERNEL32(?,?,?,?,01016370), ref: 01015BE7
                                            • GetLastError.KERNEL32(?,?,?,01016370), ref: 01015BF1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Event$ObjectResetSingleWait
                                            • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                            • API String ID: 1865021742-2104912459
                                            • Opcode ID: 92cf32e10256cf575355c4304c0361c1c73de36a2d953a809644fe783d86acfb
                                            • Instruction ID: 1754f1be73efab148f08e27baa5d6c43b3413b93cd9fbedf0b376d347845a6de
                                            • Opcode Fuzzy Hash: 92cf32e10256cf575355c4304c0361c1c73de36a2d953a809644fe783d86acfb
                                            • Instruction Fuzzy Hash: 5F914832E40727BBE3711A698C0DB663E94BF42760F254364FA94EE5D8E79ED80047D4
                                            Function 0100D28D Relevance: 53.0, APIs: 1, Strings: 29, Instructions: 465COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 861 100d28d-100d319 call 10184d0 864 100d3b4-100d3c2 861->864 865 100d31f-100d325 861->865 868 100d3c4 864->868 869 100d3ce-100d3d2 864->869 866 100d357-100d35a 865->866 867 100d327-100d351 call 1024a70 865->867 866->864 873 100d35c-100d386 call 1024a70 866->873 867->864 879 100d353-100d355 867->879 868->869 871 100d434-100d45f call 102530d 869->871 872 100d3d4-100d3ed call 10088b9 869->872 882 100d461-100d466 871->882 883 100d46b-100d470 871->883 885 100d407-100d428 call 10225d7 872->885 886 100d3ef-100d402 call 1020126 872->886 873->864 887 100d388 873->887 884 100d38a-100d3af call 10018b0 call 10017d3 call ff1566 879->884 888 100d856-100d85d call 1020126 882->888 889 100d472-100d475 883->889 890 100d4a5-100d4d1 call 100cba8 883->890 902 100d85e-100d870 call 10247f8 884->902 885->871 905 100d42a-100d42f 885->905 886->902 887->884 888->902 889->890 895 100d477-100d47f call 10247b1 889->895 909 100d4d3-100d4d8 890->909 910 100d4dd-100d50a call 100cba8 890->910 908 100d484-100d488 895->908 917 100d872-100d878 call 1020887 902->917 918 100d87d-100d883 902->918 905->888 908->890 914 100d48a-100d4a0 call 1020126 908->914 909->888 920 100d516-100d52c call 100b8b7 910->920 921 100d50c-100d511 910->921 914->902 917->918 923 100d890-100d896 918->923 924 100d885-100d88b call 1020887 918->924 937 100d538-100d54e call 100b8b7 920->937 938 100d52e-100d533 920->938 921->888 928 100d8a3-100d8a9 923->928 929 100d898-100d89e call 1020887 923->929 924->923 930 100d8b6-100d8bc 928->930 931 100d8ab-100d8b1 call 1020887 928->931 929->928 935 100d8c9-100d8d1 930->935 936 100d8be-100d8c4 call 1020887 930->936 931->930 940 100d8d3-100d8d4 935->940 941 100d8f5-100d8fb 935->941 936->935 948 100d550-100d555 937->948 949 100d55a-100d570 call 100bc01 937->949 938->888 943 100d8d6-100d8d7 940->943 944 100d8e7-100d8f3 940->944 946 100d8fd-100d90d call 101854a 941->946 943->946 947 100d8d9-100d8e5 943->947 944->946 947->946 948->888 954 100d572-100d577 949->954 955 100d57c-100d592 call 100bc01 949->955 954->888 958 100d594-100d599 955->958 959 100d59e-100d5a6 955->959 958->888 960 100d5a8 959->960 961 100d5ad-100d5e3 call 10017d3 call 1001b9a call ff1566 959->961 960->961 968 100d7c7-100d7dd call 10218dd 961->968 969 100d5e9-100d5ea 961->969 979 100d7e6-100d809 call 1021d32 968->979 980 100d7df-100d7e4 968->980 971 100d60b-100d621 call 10218dd 969->971 972 100d5ec-100d5ed 969->972 986 100d627-100d62c 971->986 987 100d78c-100d79f call 1024c29 971->987 975 100d5f3-100d5f4 972->975 976 100d766-100d77c call 10218dd 972->976 977 100d5fa-100d5fb 975->977 978 100d6ac-100d6af 975->978 976->971 994 100d782-100d787 976->994 977->978 983 100d601-100d602 977->983 984 100d6c1 978->984 985 100d6b1-100d6bf 978->985 1000 100d730-100d735 979->1000 1001 100d80f-100d835 call 1024bd7 979->1001 980->888 990 100d631-100d63a 983->990 991 100d604-100d605 983->991 992 100d6c6-100d6ce 984->992 985->984 985->992 986->888 1002 100d7a4-100d7a8 987->1002 996 100d63c-100d652 call 10218dd 990->996 997 100d65e-100d674 call 10218dd 990->997 991->902 991->971 998 100d6d0 992->998 999 100d6d5-100d6dd 992->999 994->888 996->997 1016 100d654-100d659 996->1016 1020 100d680-100d69c call 1024c29 997->1020 1021 100d676-100d67b 997->1021 998->999 1004 100d6e4-100d6ff call 1021d32 999->1004 1005 100d6df 999->1005 1000->888 1017 100d837-100d84b call ff1566 1001->1017 1018 100d84d-100d84f 1001->1018 1008 100d7b4-100d7bd call 100ccbc 1002->1008 1009 100d7aa-100d7af 1002->1009 1025 100d701-100d706 1004->1025 1026 100d70b-100d72e call 1021d32 1004->1026 1005->1004 1015 100d7c2 1008->1015 1009->888 1015->902 1016->888 1017->1018 1018->902 1022 100d851 1018->1022 1020->1008 1031 100d6a2-100d6a7 1020->1031 1021->888 1022->888 1025->888 1026->1000 1032 100d73a-100d756 call 1024c29 1026->1032 1031->888 1032->902 1035 100d75c-100d761 1032->1035 1035->888
                                            APIs
                                            • _memset.LIBCMT ref: 0100D2EB
                                              • Part of subcall function 0102530D: _memset.LIBCMT ref: 0102531E
                                            Strings
                                            • Failed to add reboot suppression property on uninstall., xrefs: 0100D7DF
                                            • Failed to add ADMIN property on admin install., xrefs: 0100D782
                                            • IGNOREDEPENDENCIES, xrefs: 0100D70B, 0100D7E6
                                            • Failed to add feature action properties to obfuscated argument string., xrefs: 0100D550
                                            • Failed to run maintanance mode for MSI package., xrefs: 0100D75C
                                            • Failed to add reinstall mode and reboot suppression properties on repair., xrefs: 0100D701
                                            • Failed to get cached path for package: %ls, xrefs: 0100D3F4
                                            • Failed to add feature action properties to argument string., xrefs: 0100D52E
                                            • Failed to build MSI path., xrefs: 0100D42A
                                            • Failed to add reinstall all property on minor upgrade., xrefs: 0100D654
                                            • Failed to add reinstall mode and reboot suppression properties on minor upgrade., xrefs: 0100D676
                                            • %ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress, xrefs: 0100D6ED
                                            • REINSTALL=ALL, xrefs: 0100D63D, 0100D6B4
                                            • Failed to install MSI package., xrefs: 0100D7AA
                                            • Failed to enable logging for package: %ls to: %ls, xrefs: 0100D492
                                            • Failed to add obfuscated properties to argument string., xrefs: 0100D50C
                                            • Failed to add patch properties to obfuscated argument string., xrefs: 0100D594
                                            • Failed to add patch properties to argument string., xrefs: 0100D572
                                            • Failed to add reboot suppression property on install., xrefs: 0100D627
                                            • REBOOT=ReallySuppress, xrefs: 0100D60C, 0100D7C8
                                            • Failed to uninstall MSI package., xrefs: 0100D851
                                            • Failed to perform minor upgrade of MSI package., xrefs: 0100D6A2
                                            • REINSTALLMODE="vomus" REBOOT=ReallySuppress, xrefs: 0100D65F
                                            • Failed to initialize external UI handler., xrefs: 0100D461
                                            • %ls %ls=ALL, xrefs: 0100D71C, 0100D7F7
                                            • VersionString, xrefs: 0100D336, 0100D36B
                                            • ACTION=ADMIN, xrefs: 0100D767
                                            • Failed to add the list of dependencies to ignore to the properties., xrefs: 0100D730
                                            • Failed to add properties to argument string., xrefs: 0100D4D3
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: ACTION=ADMIN$ REBOOT=ReallySuppress$ REINSTALL=ALL$ REINSTALLMODE="vomus" REBOOT=ReallySuppress$%ls %ls=ALL$%ls%ls REINSTALLMODE="cmus%ls" REBOOT=ReallySuppress$Failed to add ADMIN property on admin install.$Failed to add feature action properties to argument string.$Failed to add feature action properties to obfuscated argument string.$Failed to add obfuscated properties to argument string.$Failed to add patch properties to argument string.$Failed to add patch properties to obfuscated argument string.$Failed to add properties to argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add reinstall all property on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on minor upgrade.$Failed to add reinstall mode and reboot suppression properties on repair.$Failed to add the list of dependencies to ignore to the properties.$Failed to build MSI path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for package: %ls$Failed to initialize external UI handler.$Failed to install MSI package.$Failed to perform minor upgrade of MSI package.$Failed to run maintanance mode for MSI package.$Failed to uninstall MSI package.$IGNOREDEPENDENCIES$VersionString
                                            • API String ID: 2102423945-2112609193
                                            • Opcode ID: cd3c8b0601a8c69c15ecf95b43acc0c9e5fe9534234471ab367a609922a12bb4
                                            • Instruction ID: e106edb78b00ef58ec11421e29e27fd03628d88e8f1684e58804ff72f3fc99f3
                                            • Opcode Fuzzy Hash: cd3c8b0601a8c69c15ecf95b43acc0c9e5fe9534234471ab367a609922a12bb4
                                            • Instruction Fuzzy Hash: 26029670A00619DFEB22AFD5CC81EE9B7F6BB94204F0405D9F68D97191E6729B90CF60
                                            Function 00FFA94F Relevance: 44.1, APIs: 6, Strings: 19, Instructions: 398stringCOMMONLIBRARYCODE
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1226 ffa94f-ffa990 EnterCriticalSection lstrlenW call 1020777 1229 ffa99c-ffa9ad call 1018d11 1226->1229 1230 ffa992-ffa997 1226->1230 1236 ffab3d-ffab4c call 10218dd 1229->1236 1237 ffa9b3-ffa9c5 call 1018d11 1229->1237 1231 ffad78-ffad7f call 1020126 1230->1231 1239 ffad80-ffad8e LeaveCriticalSection 1231->1239 1247 ffab4e-ffab53 1236->1247 1248 ffab6a-ffab6d call 101f6d6 1236->1248 1245 ffa9cb-ffa9d3 1237->1245 1246 ffab58-ffab68 call 10218dd 1237->1246 1243 ffadb0-ffadb5 1239->1243 1244 ffad90-ffad95 1239->1244 1251 ffadbf-ffadc2 1243->1251 1252 ffadb7-ffadba call 101f6c4 1243->1252 1249 ffadaa-ffadab call 1022aae 1244->1249 1250 ffad97-ffad9c 1244->1250 1254 ffa9f7-ffa9f9 1245->1254 1255 ffa9d5-ffa9ec call 10218dd 1245->1255 1246->1247 1246->1248 1247->1231 1271 ffab72-ffab7b 1248->1271 1249->1243 1259 ffad9e-ffad9f call 1020887 1250->1259 1260 ffada4-ffada8 1250->1260 1256 ffadcc-ffadcf 1251->1256 1257 ffadc4-ffadc7 call 1020887 1251->1257 1252->1251 1267 ffa9fb-ffaa10 call 10218dd 1254->1267 1268 ffaa19-ffaa28 call 1021729 1254->1268 1255->1247 1279 ffa9f2 1255->1279 1265 ffadd9-ffaddf 1256->1265 1266 ffadd1-ffadd4 call 1020887 1256->1266 1257->1256 1259->1260 1260->1249 1260->1250 1266->1265 1267->1247 1285 ffaa16 1267->1285 1286 ffaa2e-ffaa3f 1268->1286 1287 ffad13-ffad18 1268->1287 1276 ffab7d-ffab97 call 1022f06 1271->1276 1277 ffab9c-ffaba8 call 101f6d0 1271->1277 1276->1231 1289 ffabdb-ffabde 1277->1289 1290 ffabaa 1277->1290 1284 ffab21-ffab35 call 1018d11 1279->1284 1284->1237 1302 ffab3b 1284->1302 1285->1268 1292 ffaa56-ffaa60 call 10228f3 1286->1292 1293 ffaa41-ffaa4b call 1022915 1286->1293 1287->1231 1299 ffac01-ffac1b call 101f6ca 1289->1299 1300 ffabe0-ffabea 1289->1300 1296 ffabac-ffabb1 1290->1296 1297 ffabb6-ffabba 1290->1297 1312 ffad36-ffad50 call 1022f06 1292->1312 1313 ffaa66-ffaa6a 1292->1313 1310 ffad1a-ffad34 call 1022f06 1293->1310 1311 ffaa51-ffaa54 1293->1311 1296->1297 1304 ffabbc 1297->1304 1305 ffabc1-ffabd6 call 1022f06 1297->1305 1316 ffac1d-ffac1f 1299->1316 1317 ffac83-ffac88 1299->1317 1307 ffabec-ffabf9 call 101f6d0 1300->1307 1308 ffabfb-ffabff 1300->1308 1302->1236 1304->1305 1305->1231 1307->1308 1332 ffac52 1307->1332 1308->1299 1308->1300 1310->1231 1311->1313 1312->1231 1318 ffaa6c-ffaa72 1313->1318 1319 ffaa86-ffaa8a 1313->1319 1316->1317 1326 ffac21 1316->1326 1324 ffac8a-ffac9d call 1020777 1317->1324 1325 ffad05-ffad0a 1317->1325 1318->1319 1327 ffaa74-ffaa7f 1318->1327 1329 ffaa8c-ffaa9e call ffa06e 1319->1329 1330 ffaaa4-ffaaaf 1319->1330 1352 ffac9f-ffaca4 1324->1352 1353 ffaca9-ffacb9 call 101f6ca 1324->1353 1325->1239 1336 ffad0c-ffad11 1325->1336 1334 ffac2d-ffac31 1326->1334 1335 ffac23-ffac28 1326->1335 1337 ffaa80-ffaa84 1327->1337 1329->1330 1356 ffad52-ffad63 call 1020126 1329->1356 1341 ffaab9-ffaad0 call ffa643 1330->1341 1342 ffaab1-ffaab7 1330->1342 1338 ffac5e-ffac62 1332->1338 1339 ffac54-ffac59 1332->1339 1345 ffac38-ffac4d call 1022f06 1334->1345 1346 ffac33 1334->1346 1335->1334 1336->1239 1347 ffaad9-ffaade call 1021729 1337->1347 1348 ffac69-ffac7e call 1022f06 1338->1348 1349 ffac64 1338->1349 1339->1338 1359 ffaad2-ffaad8 1341->1359 1360 ffaae0-ffaae2 1341->1360 1342->1337 1345->1231 1346->1345 1347->1360 1348->1231 1349->1348 1352->1231 1370 ffacec-ffacfc call 1021729 1353->1370 1371 ffacbb 1353->1371 1356->1239 1359->1347 1365 ffaae8-ffab03 call 1021d32 1360->1365 1366 ffad65-ffad6a 1360->1366 1377 ffad6c-ffad71 1365->1377 1378 ffab09-ffab1b call 10218dd 1365->1378 1366->1231 1370->1325 1381 ffacfe-ffad03 1370->1381 1374 ffacbd-ffacc2 1371->1374 1375 ffacc7-ffaccb 1371->1375 1374->1375 1379 ffaccd 1375->1379 1380 ffacd2-fface7 call 1022f06 1375->1380 1377->1231 1378->1284 1386 ffad73 1378->1386 1379->1380 1380->1231 1381->1231 1386->1231
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,?,00000000,00000000,?,00FF8B91,?,?,?,?,?,?,?,?,00000001), ref: 00FFA972
                                            • lstrlenW.KERNEL32(?,?,00FF8B91,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00FFA97B
                                            • _wcschr.LIBCMT ref: 00FFA9A2
                                            • _wcschr.LIBCMT ref: 00FFA9B9
                                            • _wcschr.LIBCMT ref: 00FFAB2A
                                            • LeaveCriticalSection.KERNEL32(?,00000000,00000000,0102B5F8,00000000,00000000,00000000,00FF8B91,?,00FF8B91,?,00000000,00FF8B91,00000001,?,00FF8B91), ref: 00FFAD83
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _wcschr$CriticalSection$EnterLeavelstrlen
                                            • String ID: *****$Failed to allocate buffer for format string.$Failed to allocate record.$Failed to allocate string.$Failed to allocate variable array.$Failed to append placeholder.$Failed to append string.$Failed to copy string.$Failed to determine variable visibility: '%ls'.$Failed to format placeholder string.$Failed to format record.$Failed to get formatted length.$Failed to get variable name.$Failed to reallocate variable array.$Failed to set record format string.$Failed to set record string.$Failed to set variable value.$[%d]$variable.cpp
                                            • API String ID: 144789458-2050445661
                                            • Opcode ID: 07d82d513d2abd130a562a80bc40cfa6c939666d25bcaf888d9c4ca028610338
                                            • Instruction ID: b38c9a5b2c245e123b70efd21f1f58c942bb70e9da5557eedf035893f57f136e
                                            • Opcode Fuzzy Hash: 07d82d513d2abd130a562a80bc40cfa6c939666d25bcaf888d9c4ca028610338
                                            • Instruction Fuzzy Hash: D1C116B2D4062EBBCB219FE1CC40EFE7778AF54750F114165EB48BB160D6749E40ABA2
                                            Function 01016889 Relevance: 35.2, APIs: 11, Strings: 9, Instructions: 185COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1601 1016889-10168b8 CoInitializeEx 1602 10168ba-10168c7 call 1020126 1601->1602 1603 10168cc-1016917 #20 1601->1603 1615 1016abc-1016acc call 101854a 1602->1615 1605 1016919-101693a call 1022f06 call 1020126 1603->1605 1606 101693f-1016966 #22 1603->1606 1619 1016ab5-1016ab6 CoUninitialize 1605->1619 1607 1016968-101696c 1606->1607 1608 101696e-101697a 1606->1608 1607->1608 1612 10169b2-10169c0 SetEvent 1607->1612 1613 1016980-1016986 1608->1613 1614 1016aad-1016ab0 #23 1608->1614 1616 10169c2-10169ca GetLastError 1612->1616 1617 10169f5-1016a06 WaitForSingleObject 1612->1617 1613->1614 1621 101698c-101698e 1613->1621 1614->1619 1622 10169d0-10169d4 1616->1622 1623 10169cc-10169ce 1616->1623 1626 1016a38-1016a43 ResetEvent 1617->1626 1627 1016a08-1016a10 GetLastError 1617->1627 1619->1615 1628 1016990-1016995 1621->1628 1629 10169a8-10169ad 1621->1629 1632 10169d6 1622->1632 1633 10169db-10169f0 call 1022f06 1622->1633 1623->1622 1630 1016a75-1016a79 1626->1630 1631 1016a45-1016a4d GetLastError 1626->1631 1634 1016a12-1016a14 1627->1634 1635 1016a16-1016a1a 1627->1635 1636 1016997 1628->1636 1637 101699f 1628->1637 1638 1016a9a-1016aa2 call 1020126 1629->1638 1642 1016aa8 1630->1642 1643 1016a7b-1016a7e 1630->1643 1639 1016a53-1016a57 1631->1639 1640 1016a4f-1016a51 1631->1640 1632->1633 1633->1638 1634->1635 1646 1016a21-1016a36 call 1022f06 1635->1646 1647 1016a1c 1635->1647 1644 10169a6 1636->1644 1645 1016999-101699d 1636->1645 1648 10169a4 1637->1648 1638->1614 1650 1016a59 1639->1650 1651 1016a5e-1016a73 call 1022f06 1639->1651 1640->1639 1642->1614 1653 1016a80-1016a95 call 1022f06 1643->1653 1654 1016aa4-1016aa6 1643->1654 1644->1612 1644->1629 1645->1648 1646->1638 1647->1646 1648->1644 1650->1651 1651->1638 1653->1638 1654->1614
                                            APIs
                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 010168AE
                                            • #20.CABINET(01015FA2,01015FB1,01016374,0101657B,01015FBE,01016749,01016610,000000FF,?), ref: 0101690A
                                            • CoUninitialize.COMBASE ref: 01016AB6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: InitializeUninitialize
                                            • String ID: <the>.cab$Failed to extract all files from container.$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$cabextract.cpp
                                            • API String ID: 3442037557-3821814080
                                            • Opcode ID: 2dd4116e6f79c7d8a582cde3de7d133f0f027fffe3bf3dfbd14cf7b3697b5b2b
                                            • Instruction ID: a7409103c3dcc2100f4dc4e18864ca92068126f7ffd1b9d2ce054467f975727d
                                            • Opcode Fuzzy Hash: 2dd4116e6f79c7d8a582cde3de7d133f0f027fffe3bf3dfbd14cf7b3697b5b2b
                                            • Instruction Fuzzy Hash: 2D513E33E40322BBD7315E6A8D45E9E7BA89F50B10B15416DFDC1BB258D6EF9C008791
                                            Function 00FF315E Relevance: 33.4, APIs: 10, Strings: 9, Instructions: 183fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1662 ff315e-ff3199 GetCurrentProcessId ReadFile 1663 ff319b-ff31a3 GetLastError 1662->1663 1664 ff31d4-ff31de 1662->1664 1665 ff31af-ff31b3 1663->1665 1666 ff31a5-ff31aa 1663->1666 1667 ff3202-ff3211 call 1020777 1664->1667 1668 ff31e0-ff31f7 call 1022f06 1664->1668 1670 ff31ba-ff31cf call 1022f06 1665->1670 1671 ff31b5 1665->1671 1666->1665 1676 ff321d-ff322f ReadFile 1667->1676 1677 ff3213-ff3218 1667->1677 1679 ff31fc-ff31fd 1668->1679 1681 ff3346 1670->1681 1671->1670 1682 ff326a-ff327f CompareStringW 1676->1682 1683 ff3231-ff3239 GetLastError 1676->1683 1677->1681 1680 ff3347-ff334d call 1020126 1679->1680 1697 ff334e-ff3351 1680->1697 1681->1680 1687 ff32a2-ff32b4 ReadFile 1682->1687 1688 ff3281-ff329d call 1022f06 1682->1688 1685 ff323b-ff3240 1683->1685 1686 ff3245-ff3249 1683->1686 1685->1686 1692 ff324b 1686->1692 1693 ff3250-ff3265 call 1022f06 1686->1693 1689 ff32ec-ff32f3 1687->1689 1690 ff32b6-ff32be GetLastError 1687->1690 1688->1679 1698 ff32f5-ff32f8 1689->1698 1699 ff3364-ff3367 1689->1699 1695 ff32ca-ff32ce 1690->1695 1696 ff32c0-ff32c5 1690->1696 1692->1693 1693->1681 1702 ff32d5-ff32ea call 1022f06 1695->1702 1703 ff32d0 1695->1703 1696->1695 1704 ff335b-ff3361 1697->1704 1705 ff3353-ff3356 call 1020887 1697->1705 1706 ff32fa-ff3310 WriteFile 1698->1706 1699->1706 1707 ff3369-ff3380 call 1022f06 1699->1707 1702->1681 1703->1702 1705->1704 1706->1697 1711 ff3312-ff331a GetLastError 1706->1711 1714 ff331c-ff3321 1711->1714 1715 ff3326-ff332a 1711->1715 1714->1715 1717 ff332c 1715->1717 1718 ff3331-ff3341 call 1022f06 1715->1718 1717->1718 1718->1681
                                            APIs
                                            • GetCurrentProcessId.KERNEL32(8000FFFF,00000000,74DF3140,?,00FF398B,?,?,00000008,00000000,?), ref: 00FF3175
                                            • ReadFile.KERNELBASE(00000008,00000008,00000004,?,00000000,?,00FF398B,?,?,00000008,00000000,?), ref: 00FF3195
                                            • GetLastError.KERNEL32(?,00FF398B,?,?,00000008,00000000,?), ref: 00FF319B
                                            • ReadFile.KERNELBASE(00000008,00000000,00000008,?,00000000,00000000,00000009,?,00FF398B,?,?,00000008,00000000,?), ref: 00FF322B
                                            • GetLastError.KERNEL32(?,00FF398B,?,?,00000008,00000000,?), ref: 00FF3231
                                            Strings
                                            • Failed to inform parent process that child is running., xrefs: 00FF3341
                                            • Failed to read verification secret from parent pipe., xrefs: 00FF3260
                                            • Verification secret from parent is too big., xrefs: 00FF31F7
                                            • Verification secret from parent does not match., xrefs: 00FF3298
                                            • Failed to read verification process id from parent pipe., xrefs: 00FF32E5
                                            • Failed to read size of verification secret from parent pipe., xrefs: 00FF31CA
                                            • pipe.cpp, xrefs: 00FF31C0, 00FF31EB, 00FF3256, 00FF328C, 00FF32DB, 00FF3337, 00FF3374
                                            • Verification process id from parent does not match., xrefs: 00FF3380
                                            • Failed to allocate buffer for verification secret., xrefs: 00FF3213
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastRead$CurrentProcess
                                            • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$pipe.cpp
                                            • API String ID: 1233551569-826945260
                                            • Opcode ID: 94e1e4e68cce00ef9516f4633bca6339ef6fca8ef63da2f67208e5918d595a4d
                                            • Instruction ID: 3fd00fbeae97a6ecec2741399cb9081f8632fbe1c77f8ed69089a0c37bcb8be0
                                            • Opcode Fuzzy Hash: 94e1e4e68cce00ef9516f4633bca6339ef6fca8ef63da2f67208e5918d595a4d
                                            • Instruction Fuzzy Hash: 9F51FA72E4022EBBDB209E95CD86EBE7B69AF00750F350039F751EB150DA79CB409761
                                            Function 00FF689B Relevance: 31.7, APIs: 3, Strings: 15, Instructions: 166registryCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1721 ff689b-ff68da call 1001882 * 2 call 1001a5c call ff1566 1730 ff691e-ff6921 1721->1730 1731 ff68dc-ff68ee call 1023c39 1721->1731 1732 ff692d-ff6931 1730->1732 1733 ff6923-ff6927 1730->1733 1740 ff68fa-ff68fd 1731->1740 1741 ff68f0-ff68f5 1731->1741 1735 ff69c8-ff69ec call 1023d9a 1732->1735 1736 ff6937-ff6954 call 1021d32 1732->1736 1733->1732 1733->1735 1747 ff69ee-ff69f4 1735->1747 1748 ff6a37 1735->1748 1749 ff6956-ff695b 1736->1749 1750 ff6960-ff697a call 1023cda 1736->1750 1740->1730 1745 ff68ff-ff6909 call 1023c39 1740->1745 1744 ff6a80-ff6a87 call 1020126 1741->1744 1758 ff6a88-ff6a8c 1744->1758 1752 ff690e-ff6912 1745->1752 1747->1748 1755 ff69f6-ff6a01 RegDeleteValueW 1747->1755 1754 ff6a39-ff6a3d 1748->1754 1749->1744 1768 ff697c-ff6981 1750->1768 1769 ff6986-ff6998 call 1024111 1750->1769 1752->1733 1757 ff6914-ff6919 1752->1757 1754->1758 1759 ff6a3f-ff6a4c RegDeleteValueW 1754->1759 1760 ff6a05-ff6a07 1755->1760 1761 ff6a03 1755->1761 1757->1744 1763 ff6a8e-ff6a91 call 1020887 1758->1763 1764 ff6a96-ff6a9a 1758->1764 1765 ff6a4e 1759->1765 1766 ff6a50-ff6a52 1759->1766 1760->1754 1767 ff6a09 1760->1767 1761->1760 1763->1764 1771 ff6a9c-ff6a9f RegCloseKey 1764->1771 1772 ff6aa5-ff6aaa 1764->1772 1765->1766 1766->1758 1773 ff6a54 1766->1773 1774 ff6a0b-ff6a10 1767->1774 1775 ff6a15-ff6a19 1767->1775 1768->1744 1782 ff699a-ff699f 1769->1782 1783 ff69a4-ff69af call 1024111 1769->1783 1771->1772 1777 ff6a56-ff6a5b 1773->1777 1778 ff6a60-ff6a64 1773->1778 1774->1775 1779 ff6a1b 1775->1779 1780 ff6a20-ff6a35 call 1022f06 1775->1780 1777->1778 1785 ff6a6b-ff6a7b call 1022f06 1778->1785 1786 ff6a66 1778->1786 1779->1780 1780->1744 1782->1744 1790 ff69b4-ff69b8 1783->1790 1785->1744 1786->1785 1790->1758 1792 ff69be-ff69c3 1790->1792 1792->1744
                                            APIs
                                            • RegCloseKey.KERNELBASE(00000000,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000,00000000,00000000,?,?), ref: 00FF6A9F
                                              • Part of subcall function 01023C39: RegSetValueExW.KERNELBASE(?,00020006,00000000,00000004,00FF68EA,00000004,00000001,?,00FF68EA,00020006,Resume,00FF13BB,00000000,00000000,?,?), ref: 01023C4E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseValue
                                            • String ID: "%ls" /%ls$BundleResumeCommandLine$Failed to create run key.$Failed to delete resume command line value.$Failed to delete run key value.$Failed to format resume command line for RunOnce.$Failed to write Installed value.$Failed to write Resume value.$Failed to write resume command line value.$Failed to write run key value.$Installed$Resume$SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$burn.runonce$registration.cpp
                                            • API String ID: 3132538880-3648537543
                                            • Opcode ID: ad12a39dc50b08ea2e7ae1808f304370f3b62875f6849810004fb6e925d200d5
                                            • Instruction ID: a9490d82cefcffe7fbb1b6c271efa57472678d7a2686a0562049a71147d75346
                                            • Opcode Fuzzy Hash: ad12a39dc50b08ea2e7ae1808f304370f3b62875f6849810004fb6e925d200d5
                                            • Instruction Fuzzy Hash: 28512C32A8031EBADB225A61CC41F7A3666AF50760F308028F745FA1B0DEB9D951B614
                                            Function 00FFAE5F Relevance: 30.3, APIs: 1, Strings: 19, Instructions: 342COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1793 ffae5f-ffb576 InitializeCriticalSection 1794 ffb57c-ffb596 call ffade2 1793->1794 1797 ffb5ac-ffb5ba call 1020126 1794->1797 1798 ffb598-ffb5a8 1794->1798 1801 ffb5bd-ffb5cd call 101854a 1797->1801 1798->1794 1799 ffb5aa 1798->1799 1799->1801
                                            APIs
                                            • InitializeCriticalSection.KERNEL32(00FF2222,00000000,00FF1D56,00FF21DE), ref: 00FFAE7F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalInitializeSection
                                            • String ID: #$$$'$0$9$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleManufacturer$WixBundleProviderKey$WixBundleTag$WixBundleVersion
                                            • API String ID: 32694325-3014018290
                                            • Opcode ID: 710b6f55806b17311743ebd69095314d1713d215d4ddacea4a44eb56f6bde0d9
                                            • Instruction ID: 48d9e78fabdf4b93c1d0226ba8c7b57c320c33e01ec3c931fd84dde6565ccbc4
                                            • Opcode Fuzzy Hash: 710b6f55806b17311743ebd69095314d1713d215d4ddacea4a44eb56f6bde0d9
                                            • Instruction Fuzzy Hash: 551267B5C056289BDB26DF49C8493DDFBBABF88304F4085D991487B624C7B12B89CF81
                                            Function 01001380 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 139registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • TlsSetValue.KERNEL32(?,?), ref: 010013CA
                                            • RegisterClassW.USER32(?), ref: 010013F8
                                            • GetLastError.KERNEL32 ref: 01001403
                                            • CreateWindowExW.USER32(00000080,01034EE8,00000000,90000000,80000000,00000008,00000000,00000000,00000000,00000000,?,?), ref: 01001473
                                            • GetLastError.KERNEL32 ref: 0100147D
                                            • SetEvent.KERNEL32(?), ref: 010014C0
                                            • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 010014FF
                                            • UnregisterClassW.USER32(WixBurnMessageWindow,?), ref: 01001524
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ClassErrorLast$CallbackCreateDispatcherEventRegisterUnregisterUserValueWindow
                                            • String ID: Failed to create window.$Failed to register window.$Unexpected return value from message pump.$WixBurnMessageWindow$uithread.cpp
                                            • API String ID: 4252647486-288575659
                                            • Opcode ID: 1d290bfc8414c35faeb6d839ce4d82d09b00244d33ff185a7af9ec04ec2606f4
                                            • Instruction ID: a23a5fe88d83b8e1d26ef613e1809b4ec52d2c9d5d7244268e8b10aa208367ee
                                            • Opcode Fuzzy Hash: 1d290bfc8414c35faeb6d839ce4d82d09b00244d33ff185a7af9ec04ec2606f4
                                            • Instruction Fuzzy Hash: 02416672900209FFEB229FE4C844AEDBBB8FF04350F248469F595FA190DB75E9449B51
                                            Function 00FF38BE Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 158sleepfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000003,00000000,00000000,00000000,?), ref: 00FF391F
                                            • GetLastError.KERNEL32 ref: 00FF3929
                                            • Sleep.KERNELBASE(00000064), ref: 00FF394E
                                            Strings
                                            • Failed to open parent pipe: %ls, xrefs: 00FF3972
                                            • Failed to allocate name of parent pipe., xrefs: 00FF38E4
                                            • Failed to allocate name of parent cache pipe., xrefs: 00FF39C3
                                            • pipe.cpp, xrefs: 00FF3965, 00FF3A6A
                                            • Failed to verify parent pipe: %ls, xrefs: 00FF3994
                                            • Failed to open companion process with PID: %u, xrefs: 00FF3A77
                                            • \\.\pipe\%ls, xrefs: 00FF38D0
                                            • \\.\pipe\%ls.Cache, xrefs: 00FF39AD
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateErrorFileLastSleep
                                            • String ID: Failed to allocate name of parent cache pipe.$Failed to allocate name of parent pipe.$Failed to open companion process with PID: %u$Failed to open parent pipe: %ls$Failed to verify parent pipe: %ls$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
                                            • API String ID: 408151869-645222887
                                            • Opcode ID: f179e28008a652e9addd5f31526e9d0e3eaa328e629d5247762f6be5512faa95
                                            • Instruction ID: 61317f8609bd8e783f37af740f7bd8ffb9b92235ea11ff7265428f270fdcb1ca
                                            • Opcode Fuzzy Hash: f179e28008a652e9addd5f31526e9d0e3eaa328e629d5247762f6be5512faa95
                                            • Instruction Fuzzy Hash: EC410B36940316BADB315A62CD45F7F76A69F80720F31402CFA95D61A0DBBDDB00B750
                                            Function 010007C7 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 233COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to read action., xrefs: 01000811
                                            • Failed to read package log., xrefs: 0100087E
                                            • Failed to read UI level., xrefs: 0100089F
                                            • Failed to read rollback flag., xrefs: 010009F2
                                            • Failed to read variables., xrefs: 010009CB
                                            • Failed to execute MSI package., xrefs: 01000A1D
                                            • Failed to find package: %ls, xrefs: 01000833
                                            • Failed to read slipstream action., xrefs: 010009D2
                                            • Failed to read parent hwnd., xrefs: 0100085D
                                            • Failed to read feature action., xrefs: 01000974
                                            • Failed to allocate memory for slipstream patch actions., xrefs: 0100096A
                                            • elevation.cpp, xrefs: 010008F0, 01000960
                                            • Failed to allocate memory for feature actions., xrefs: 010008FA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to allocate memory for feature actions.$Failed to allocate memory for slipstream patch actions.$Failed to execute MSI package.$Failed to find package: %ls$Failed to read UI level.$Failed to read action.$Failed to read feature action.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read slipstream action.$Failed to read variables.$elevation.cpp
                                            • API String ID: 2102423945-2584093861
                                            • Opcode ID: 7243545267a54447a3cffc6123bf3fcea764f0335e3608985e873273a46beb66
                                            • Instruction ID: b212e428f095a6902ebe5a1d8b65ae11949395beb14ab68a4255094129191251
                                            • Opcode Fuzzy Hash: 7243545267a54447a3cffc6123bf3fcea764f0335e3608985e873273a46beb66
                                            • Instruction Fuzzy Hash: 21719132D00129BEEB13EFD4CC81EEEB7BCAB54290F100166F991BB195E6714E408BA0
                                            Function 00FFD76D Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 200COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • WixBundleOriginalSource, xrefs: 00FFD8EE
                                            • Failed to open manifest stream., xrefs: 00FFD896
                                            • Failed to open attached UX container., xrefs: 00FFD879
                                            • Failed to set original source variable., xrefs: 00FFD8FF
                                            • Failed to parse command line., xrefs: 00FFD807
                                            • Failed to initialize variables., xrefs: 00FFD825
                                            • Failed to get unique temporary folder for bootstrapper application., xrefs: 00FFD92D
                                            • Failed to extract bootstrapper application payloads., xrefs: 00FFD94E
                                            • Failed to overwrite the %ls built-in variable., xrefs: 00FFD853
                                            • Failed to load catalog files., xrefs: 00FFD96E
                                            • Failed to get manifest stream from container., xrefs: 00FFD8B7
                                            • Failed to load manifest., xrefs: 00FFD8D3
                                            • WixBundleElevated, xrefs: 00FFD83A, 00FFD83F, 00FFD852
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$WixBundleElevated$WixBundleOriginalSource
                                            • API String ID: 2102423945-1257586656
                                            • Opcode ID: 6a04fd008955d38114eb1d57824d6f0208fa632a4e12bbda1040c9a06c95df32
                                            • Instruction ID: 282f22be4d267af4285de971e40039f4cd7019316f34a493ef1d063d2d0d6754
                                            • Opcode Fuzzy Hash: 6a04fd008955d38114eb1d57824d6f0208fa632a4e12bbda1040c9a06c95df32
                                            • Instruction Fuzzy Hash: DC6140B390071DAACB22EAE0CC41EEF77BEAF44750F10452AF29AD7150EA70E645D751
                                            Function 010256D9 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 151libraryloadercomCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,?,010258C1,00000000,?,00000000), ref: 010256F7
                                            • GetLastError.KERNEL32(?,?,010258C1,00000000,?,00000000,?,?,?,?,?,?,?,?,01013EC5,00FF2222), ref: 01025703
                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 01025767
                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 01025773
                                            • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 0102577D
                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 01025788
                                            • CoCreateInstance.OLE32(01047EF8,00000000,00000001,0102BCE0,?,?,?,010258C1,00000000,?,00000000), ref: 010257C2
                                            • ExitProcess.KERNEL32 ref: 01025877
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                            • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$xmlutil.cpp
                                            • API String ID: 2124981135-499589564
                                            • Opcode ID: 212c6ead70fe08dcb8b742e0de13668886985d8904619a22bac08b6c46c268d5
                                            • Instruction ID: 1f23263ed78fd428cb9d9c59defa505c6e639a466e75457a1dfa032099abb247
                                            • Opcode Fuzzy Hash: 212c6ead70fe08dcb8b742e0de13668886985d8904619a22bac08b6c46c268d5
                                            • Instruction Fuzzy Hash: 4C515271A4022AEBDB209FA9DC84BEE7FB4BF04711F104569F554EB180E7B5D640CB94
                                            Function 00FF157C Relevance: 24.6, APIs: 6, Strings: 8, Instructions: 147synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReleaseMutex.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00FF174B
                                            • CloseHandle.KERNEL32(00000000,?,?,?,00FF1DEA,?,?), ref: 00FF1754
                                              • Part of subcall function 00FF28E3: UuidCreate.RPCRT4(?), ref: 00FF291A
                                              • Part of subcall function 00FF28E3: StringFromGUID2.OLE32(?,?,00000027), ref: 00FF292D
                                            Strings
                                            • Failed to connect to unelevated process., xrefs: 00FF15F4
                                            • engine.cpp, xrefs: 00FF1634, 00FF167E
                                            • Failed to pump messages from parent process., xrefs: 00FF171D
                                            • Failed to set elevated pipe into thread local storage for logging., xrefs: 00FF1688
                                            • Failed to create the message window., xrefs: 00FF16A1
                                            • Failed to allocate thread local storage for logging., xrefs: 00FF163E
                                            • Failed to create implicit elevated connection name and secret., xrefs: 00FF15AD
                                            • Failed to launch unelevated process., xrefs: 00FF15D6
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateFromHandleMutexReleaseStringUuid
                                            • String ID: Failed to allocate thread local storage for logging.$Failed to connect to unelevated process.$Failed to create implicit elevated connection name and secret.$Failed to create the message window.$Failed to launch unelevated process.$Failed to pump messages from parent process.$Failed to set elevated pipe into thread local storage for logging.$engine.cpp
                                            • API String ID: 3991521885-93479633
                                            • Opcode ID: c679dd7dfac078fcac0553da997088eb5e300d71e67de827b10e87b2b9507a72
                                            • Instruction ID: 8f53d04e3e48270b827dd1d8d332731adef5e3146caf69711cf5e62921d08bd3
                                            • Opcode Fuzzy Hash: c679dd7dfac078fcac0553da997088eb5e300d71e67de827b10e87b2b9507a72
                                            • Instruction Fuzzy Hash: 9C41F87354060AEADB22AAA0CC85FFB77ADFF44350F24442DF39AD6160DE75E504AB24
                                            Function 01010A7D Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 136fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,00000000,00000000), ref: 01010ACF
                                            • GetLastError.KERNEL32 ref: 01010AE0
                                            • GetCurrentProcess.KERNEL32(00FF1D72,00000000,00000000,00000002,00000000,00000000), ref: 01010B29
                                            • GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 01010B2F
                                            • DuplicateHandle.KERNELBASE(00000000), ref: 01010B32
                                            • GetLastError.KERNEL32 ref: 01010B3C
                                            • SetFilePointerEx.KERNELBASE(00FF1D72,00FF2142,00FF1D72,00000000,00000000), ref: 01010BA3
                                            • GetLastError.KERNEL32 ref: 01010BAD
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                            • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$container.cpp
                                            • API String ID: 2619879409-2168299741
                                            • Opcode ID: bae4d88ed076b760ae8cb6bc5f1d7af6a1068263269c988ba2028a7d2d508280
                                            • Instruction ID: e0d9fcd375319b4d612d6dd01137e3a99ed04d869a07951e2b1fbc1a6372bdf2
                                            • Opcode Fuzzy Hash: bae4d88ed076b760ae8cb6bc5f1d7af6a1068263269c988ba2028a7d2d508280
                                            • Instruction Fuzzy Hash: 2441A171A4030AFFDB209FA8DD85E9EB7B8FF04314F204529F6D1E6158D379AA909B50
                                            Function 01016374 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 106fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,000000FF,?,000000FF), ref: 010163A6
                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,00000000,00000000), ref: 010163BE
                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 010163C3
                                            • DuplicateHandle.KERNELBASE(00000000), ref: 010163C6
                                            • GetLastError.KERNEL32 ref: 010163D0
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000), ref: 0101643F
                                            • GetLastError.KERNEL32 ref: 0101644D
                                            Strings
                                            • Failed to open cabinet file: %hs, xrefs: 0101647F
                                            • cabextract.cpp, xrefs: 010163F5, 01016472
                                            • Failed to duplicate handle to cab container., xrefs: 010163FF
                                            • Failed to add virtual file pointer for cab container., xrefs: 0101641D
                                            • <the>.cab, xrefs: 0101639D
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                            • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$cabextract.cpp
                                            • API String ID: 3030546534-3446344238
                                            • Opcode ID: b30c545f7a5f94f3186d0870e2b7d2228bedfe544eeb847102660d51727cc324
                                            • Instruction ID: 544caf7d702fb14dec9734d30ef8af0620be463289b4efb8276a982a98dba082
                                            • Opcode Fuzzy Hash: b30c545f7a5f94f3186d0870e2b7d2228bedfe544eeb847102660d51727cc324
                                            • Instruction Fuzzy Hash: FE31E672940227BFD7315EA9DC84E9E7B6DEB01364F204324F5A4A7194DAAB9D008794
                                            Function 01016ACF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00FF1D72,00000000,00FF2142,00FF1D72,00000000,?,01010BF7,00FF1D72,?), ref: 01016B06
                                            • GetLastError.KERNEL32(?,01010BF7,00FF1D72,?), ref: 01016B0F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateErrorEventLast
                                            • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$cabextract.cpp
                                            • API String ID: 545576003-1680384675
                                            • Opcode ID: fee853de055a111d1984d9f391258cefe6eb6cddb922755f011ea95ab88a9858
                                            • Instruction ID: 401812c551c4768c30b1e71e70bf687a4158e3f45a67f8e6450328744d80850e
                                            • Opcode Fuzzy Hash: fee853de055a111d1984d9f391258cefe6eb6cddb922755f011ea95ab88a9858
                                            • Instruction Fuzzy Hash: 7521E6B26443177AD3303D668CC9EAA3A9DFB80764B25093DF2C6DB044D9FFD8854626
                                            Function 00FF9C16 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 141COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memmove_memset
                                            • String ID: Failed to allocate room for more variables.$Failed to allocate room for variables.$Failed to copy variable name.$Overflow while calculating size of variable array buffer$Overflow while dealing with variable array buffer allocation$Overflow while growing variable array size$variable.cpp
                                            • API String ID: 3555123492-2816863117
                                            • Opcode ID: acc6523f3886d9b8023ecbc0909d54e1e1cfebf1a90c06c2bec4fabbb5d6a6fa
                                            • Instruction ID: f368f632d88dc154eb791e65a3b35d7e03a1bfee707e935e9858bc1219cffe8b
                                            • Opcode Fuzzy Hash: acc6523f3886d9b8023ecbc0909d54e1e1cfebf1a90c06c2bec4fabbb5d6a6fa
                                            • Instruction Fuzzy Hash: CE415C71B44316BBE7349AA1CC02FAF77ACBF50740F20412EF281AE184E6B0EA00D658
                                            Function 01007D7A Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 01007DA8
                                            • LocalFree.KERNEL32(?,?,00000001,80000005,?,00000000,?,00000000,00000003,000007D0), ref: 01007EE2
                                            Strings
                                            • Failed to secure cache path: %ls, xrefs: 01007EC6
                                            • cache.cpp, xrefs: 01007E7F
                                            • Failed to allocate access for Administrators group to path: %ls, xrefs: 01007DD5
                                            • Failed to allocate access for Everyone group to path: %ls, xrefs: 01007E1C
                                            • Failed to create ACL to secure cache path: %ls, xrefs: 01007E8F
                                            • Failed to allocate access for SYSTEM group to path: %ls, xrefs: 01007DF6
                                            • Failed to allocate access for Users group to path: %ls, xrefs: 01007E3D
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FreeLocal_memset
                                            • String ID: Failed to allocate access for Administrators group to path: %ls$Failed to allocate access for Everyone group to path: %ls$Failed to allocate access for SYSTEM group to path: %ls$Failed to allocate access for Users group to path: %ls$Failed to create ACL to secure cache path: %ls$Failed to secure cache path: %ls$cache.cpp
                                            • API String ID: 3302596199-4113288589
                                            • Opcode ID: 28c418a2ed2a330a5fadd7e128c46838efa0c8c29aefdf9bb2e6912099ad6709
                                            • Instruction ID: a0d3e05d860fb21fdc0ec2b0ec9e07e691b1949bdabd94cca5df46078e154187
                                            • Opcode Fuzzy Hash: 28c418a2ed2a330a5fadd7e128c46838efa0c8c29aefdf9bb2e6912099ad6709
                                            • Instruction Fuzzy Hash: 5A41C873D41166ABEF32AB548C85FDEB678BB08700F4181A5F7C5F7080DA756E858B90
                                            Function 01001534 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 100threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00FF1E12,?), ref: 01001556
                                            • GetLastError.KERNEL32(?,?,00FF1E12,?), ref: 01001563
                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00011380,?,00000000,00000000), ref: 010015B7
                                            • GetLastError.KERNEL32(?,?,00FF1E12,?), ref: 010015C4
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00FF1E12,?), ref: 0100160F
                                            • CloseHandle.KERNEL32(00000001,?,?,00FF1E12,?), ref: 0100162F
                                            • CloseHandle.KERNELBASE(?,?,?,00FF1E12,?), ref: 0100163C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                            • String ID: Failed to create initialization event.$Failed to create the UI thread.$uithread.cpp
                                            • API String ID: 2351989216-3599963359
                                            • Opcode ID: fed3bdfaa7793f59a38a0d7c71b6b836e68f17599bb0142d9109e07081e4e631
                                            • Instruction ID: 6a3431981bc3e6b5161d1965bbd90be99714548b1dd1efb591d2d82ad5811183
                                            • Opcode Fuzzy Hash: fed3bdfaa7793f59a38a0d7c71b6b836e68f17599bb0142d9109e07081e4e631
                                            • Instruction Fuzzy Hash: EF3161B5D00219FFEB229F98CC859EEBBB8FB08310F244479E251FA180D7759A448B51
                                            Function 01008E97 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 155COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 01008EF1
                                              • Part of subcall function 01025C4F: SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,010081A9,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 01025C65
                                              • Part of subcall function 01025C4F: GetLastError.KERNEL32(?,010081A9,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,01009C26,00000000,?), ref: 01025C6F
                                            Strings
                                            • cache.cpp, xrefs: 01008F8D, 01008FE0, 01009023
                                            • Failed to get provider state from authenticode certificate., xrefs: 01008FEA
                                            • Failed to verify expected payload against actual certificate chain., xrefs: 01009045
                                            • Failed to get signer chain from authenticode certificate., xrefs: 0100902D
                                            • Failed to move file pointer to beginning of file., xrefs: 01008F09
                                            • Failed authenticode verification of payload: %ls, xrefs: 01008F9A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer_memset
                                            • String ID: Failed authenticode verification of payload: %ls$Failed to get provider state from authenticode certificate.$Failed to get signer chain from authenticode certificate.$Failed to move file pointer to beginning of file.$Failed to verify expected payload against actual certificate chain.$cache.cpp
                                            • API String ID: 3998764941-4294895434
                                            • Opcode ID: 7ec790c604f5442695ebd207e38937fae841a4eebccc6ffc99ee443654539867
                                            • Instruction ID: 31bec7afd6d1c268e6271f965e7f85a7d678ce470da4e57e685e243b9965870f
                                            • Opcode Fuzzy Hash: 7ec790c604f5442695ebd207e38937fae841a4eebccc6ffc99ee443654539867
                                            • Instruction Fuzzy Hash: 0C41FA72D40226AFD722DBE9CC44AEFBFB8EF54350F10416AF695FB181D6748A0087A1
                                            Function 00FF3006 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 120fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(00000000,?,00000008,00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00FF3034
                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00FF303E
                                            • ReadFile.KERNEL32(00000000,00000000,?,00000000,00000000,?,00000000,?,?,?,00000000), ref: 00FF30EB
                                            • GetLastError.KERNEL32(?,?,?,00000000), ref: 00FF30F5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastRead
                                            • String ID: Failed to allocate data for message.$Failed to read data for message.$Failed to read message from pipe.$pipe.cpp
                                            • API String ID: 1948546556-3912962418
                                            • Opcode ID: 2eddb47bc5cf37550b970d48d68dc979e80270e6aa4680be804e32d82cf9d04d
                                            • Instruction ID: 8b036132c0ffe0434cb151de7722c7815cd1f3dc13f8a172fb6e9171d671d342
                                            • Opcode Fuzzy Hash: 2eddb47bc5cf37550b970d48d68dc979e80270e6aa4680be804e32d82cf9d04d
                                            • Instruction Fuzzy Hash: 5D41D572E0022DFBEB219FA5CD85BFEBB78EF04710F204465EA05EA164D7758B40A790
                                            Function 0100959B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 86fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,80000000,00000005,00000000,00000003,08000000,00000000,00000000,?,?,01009C26,00000000,?,?,00000000,?), ref: 010095B5
                                            • GetLastError.KERNEL32(?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000,?,?,00000000,?), ref: 010095C3
                                              • Part of subcall function 0100828F: _memset.LIBCMT ref: 010082B9
                                            • CloseHandle.KERNEL32(000000FF,?,?,01009C26,00000000,?,?,00000000,?,?,00000000,00000000), ref: 0100968F
                                            Strings
                                            • Failed to verify catalog signature of payload: %ls, xrefs: 01009653
                                            • Failed to open payload at path: %ls, xrefs: 01009608
                                            • Failed to verify signature of payload: %ls, xrefs: 01009632
                                            • cache.cpp, xrefs: 010095FB
                                            • Failed to verify hash of payload: %ls, xrefs: 01009678
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorFileHandleLast_memset
                                            • String ID: Failed to open payload at path: %ls$Failed to verify catalog signature of payload: %ls$Failed to verify hash of payload: %ls$Failed to verify signature of payload: %ls$cache.cpp
                                            • API String ID: 1470872789-2757871984
                                            • Opcode ID: cac0ce7db5d0576a3d2ba6856cdbdc14e24f857a67c36b69b637e19d54f625c0
                                            • Instruction ID: 72ded80df9021e1742396e357f11c5bbcd6015c4ec25e2b4c12d3ae46256726e
                                            • Opcode Fuzzy Hash: cac0ce7db5d0576a3d2ba6856cdbdc14e24f857a67c36b69b637e19d54f625c0
                                            • Instruction Fuzzy Hash: 15210131600601BAEB335E59CC08F9E3BBAAFD8718F204219FADA5A1D1DB368640DA54
                                            Function 01000E43 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • TlsSetValue.KERNEL32(?,?), ref: 01000E59
                                            • GetLastError.KERNEL32 ref: 01000E63
                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 01000EA5
                                            • CoUninitialize.OLE32(?,01000350,?,?), ref: 01000EE2
                                            Strings
                                            • Failed to set elevated cache pipe into thread local storage for logging., xrefs: 01000E92
                                            • Failed to initialize COM., xrefs: 01000EB1
                                            • elevation.cpp, xrefs: 01000E88
                                            • Failed to pump messages in child process., xrefs: 01000ED0
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorInitializeLastUninitializeValue
                                            • String ID: Failed to initialize COM.$Failed to pump messages in child process.$Failed to set elevated cache pipe into thread local storage for logging.$elevation.cpp
                                            • API String ID: 876858697-113251691
                                            • Opcode ID: 8ea2a68a25264d3195502dadc7a95027932faa0ce9a5e2b99ed035751b519c5c
                                            • Instruction ID: cff44320bde155f1dba31328ef41226c53a27c7265cf374d91287c5c1cc59c48
                                            • Opcode Fuzzy Hash: 8ea2a68a25264d3195502dadc7a95027932faa0ce9a5e2b99ed035751b519c5c
                                            • Instruction Fuzzy Hash: A211C633644666BBE3331A55DC05B9F7B58EF00BA1F200129FA85FB199DB66AD0082D4
                                            Function 00FF7203 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 133registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00020006,00000000,00000000,00000000,?,00000000,00000001), ref: 00FF7333
                                            • RegCloseKey.ADVAPI32(00000001,00000000,00000000,?,?,00020006,00000000,00000000,00000000,?,00000000,00000001), ref: 00FF7340
                                              • Part of subcall function 01023D2A: RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00FF13BB,?,?,00000001,?,00FF727D,?,00FF13BB,00020006,00000001), ref: 01023D4E
                                            Strings
                                            • %ls.RebootRequired, xrefs: 00FF7257
                                            • Failed to write volatile reboot required registry key., xrefs: 00FF7281
                                            • Failed to update resume mode., xrefs: 00FF7318
                                            • Failed to delete registration key: %ls, xrefs: 00FF72E3
                                            • Failed to open registration key., xrefs: 00FF7371
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Close$Create
                                            • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
                                            • API String ID: 359002179-2517785395
                                            • Opcode ID: 992ce6367c66015024207b878bac5288e6de9eff70eacedf2f84b1dfc1bba4cb
                                            • Instruction ID: da282e1ef0fec8f8673b82e010a5f7fd53e746a3c27b682bab9638da485c3a48
                                            • Opcode Fuzzy Hash: 992ce6367c66015024207b878bac5288e6de9eff70eacedf2f84b1dfc1bba4cb
                                            • Instruction Fuzzy Hash: BD418E72D0431EFFDF217EA0DC818AEB7BAEF54314B24446EFA4162020D6759A50EB51
                                            Function 010205E9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 01020600
                                            • CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF2A9B,?,?,?,?,00000000,00000000), ref: 01020657
                                            • GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 01020661
                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 010206AB
                                            • CloseHandle.KERNEL32(00FF2A9B,?,?,?,?,00000000,00000000,00000000), ref: 010206B8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$CreateErrorLastProcess_memset
                                            • String ID: "%ls" %ls$procutil.cpp
                                            • API String ID: 1393943095-4145822745
                                            • Opcode ID: c2f011685b4687c1f99f317fa3be20bee9aebe6b72ffcefef1f6420f5e99de69
                                            • Instruction ID: 4e96b8fd66beaf1e9253280a0e6362cd1e4703a5bd427ff41e08521982633434
                                            • Opcode Fuzzy Hash: c2f011685b4687c1f99f317fa3be20bee9aebe6b72ffcefef1f6420f5e99de69
                                            • Instruction Fuzzy Hash: 9B21517590026EEFDB219FE8CC849EEBBB9EB48304F24043AF641F6114D6759E44CBA1
                                            Function 00FF2A21 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcessId.KERNEL32(00000000,?,?,?), ref: 00FF2A35
                                              • Part of subcall function 0102202C: GetModuleFileNameW.KERNEL32(00FF213E,?,00000104,?,00000104,?,00000000,?,?,00FF213E,?,00000000,?,?,?,76EEC3F0), ref: 0102204D
                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,00000000), ref: 00FF2ABA
                                              • Part of subcall function 010205E9: _memset.LIBCMT ref: 01020600
                                              • Part of subcall function 010205E9: CreateProcessW.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF2A9B,?,?,?,?,00000000,00000000), ref: 01020657
                                              • Part of subcall function 010205E9: GetLastError.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 01020661
                                              • Part of subcall function 010205E9: CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000000,00000000), ref: 010206AB
                                              • Part of subcall function 010205E9: CloseHandle.KERNEL32(00FF2A9B,?,?,?,?,00000000,00000000,00000000), ref: 010206B8
                                            Strings
                                            • burn.unelevated, xrefs: 00FF2A5E
                                            • Failed to get current process path., xrefs: 00FF2A4D
                                            • Failed to allocate parameters for elevated process., xrefs: 00FF2A7A
                                            • Failed to launch parent process with unelevate disabled: %ls, xrefs: 00FF2AA4
                                            • %ls -%ls %ls %ls %u, xrefs: 00FF2A66
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$Process$CreateCurrentErrorFileLastModuleName_memset
                                            • String ID: %ls -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to get current process path.$Failed to launch parent process with unelevate disabled: %ls$burn.unelevated
                                            • API String ID: 1951228193-688900554
                                            • Opcode ID: 8f64cc245bb56cc89f4816c35b93c6a828d348339e9be44d0811bda1cccde5ed
                                            • Instruction ID: 18868f88a2366f47f475daf4dc729b950cc9552021e2cc5ea90eadce5979570c
                                            • Opcode Fuzzy Hash: 8f64cc245bb56cc89f4816c35b93c6a828d348339e9be44d0811bda1cccde5ed
                                            • Instruction Fuzzy Hash: 0D218132C4062DFBCF22AFE59C418EEFBB8EF60310B204156FA55B2124E6794E51AB50
                                            Function 00FFE8AC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54synchronizationthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,0100123F,00000000,?,01000EF0,?,00000000,?,?,?,00FF1DEA,?), ref: 00FFE8BE
                                            • GetLastError.KERNEL32(?,?,0100123F,00000000,?,01000EF0,?,00000000,?,?,?,00FF1DEA,?,?), ref: 00FFE8C8
                                            • GetExitCodeThread.KERNELBASE(?,?,?,?,0100123F,00000000,?,01000EF0,?,00000000,?,?,?,00FF1DEA,?,?), ref: 00FFE905
                                            • GetLastError.KERNEL32(?,?,0100123F,00000000,?,01000EF0,?,00000000,?,?,?,00FF1DEA,?,?), ref: 00FFE90F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                            • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$elevation.cpp
                                            • API String ID: 3686190907-1954264426
                                            • Opcode ID: 6b46dad727d60a9a936790358c7085d1d659d4a3f83b51123d775360d1591e6a
                                            • Instruction ID: 51edba47d053ed4fde5b94a3292c1d7612861b121c42ee1420a2c02acd2eae7f
                                            • Opcode Fuzzy Hash: 6b46dad727d60a9a936790358c7085d1d659d4a3f83b51123d775360d1591e6a
                                            • Instruction Fuzzy Hash: 2101BE72A413367697316A61DC45F7A3A589F00BB0B154138FA44E9161E66DDD00D2E8
                                            Function 0100113C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 111threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateThread.KERNELBASE(00000000,00000000,Function_00010E43,?,00000000,00000000), ref: 010011C5
                                            • GetLastError.KERNEL32(?,?,?,00FF1DEA,?,?), ref: 010011D1
                                              • Part of subcall function 00FFE8AC: WaitForSingleObject.KERNEL32(?,000493E0,00000000,?,?,0100123F,00000000,?,01000EF0,?,00000000,?,?,?,00FF1DEA,?), ref: 00FFE8BE
                                              • Part of subcall function 00FFE8AC: GetLastError.KERNEL32(?,?,0100123F,00000000,?,01000EF0,?,00000000,?,?,?,00FF1DEA,?,?), ref: 00FFE8C8
                                            • CloseHandle.KERNEL32(00000000,00000000,?,01000EF0,?,00000000,?,?,?,00FF1DEA,?,?), ref: 01001250
                                            Strings
                                            • elevation.cpp, xrefs: 010011F6
                                            • Failed to create elevated cache thread., xrefs: 01001200
                                            • Failed to pump messages in child process., xrefs: 0100122A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CloseCreateHandleObjectSingleThreadWait
                                            • String ID: Failed to create elevated cache thread.$Failed to pump messages in child process.$elevation.cpp
                                            • API String ID: 3606931770-4134175193
                                            • Opcode ID: ca0815be500e9e44dcc3327b8fae9e9277cc5390c0e198d38ca0ed2a678e451f
                                            • Instruction ID: 024eae6ab0ac394c3ef3079e955595b356d2b0c851d1c07c47e72150c2446115
                                            • Opcode Fuzzy Hash: ca0815be500e9e44dcc3327b8fae9e9277cc5390c0e198d38ca0ed2a678e451f
                                            • Instruction Fuzzy Hash: 544138B1A01219AFDB11DF99D8809EEBBF9FF48710F20412AF945EB340D774A940CBA4
                                            Function 010241F9 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 111stringregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(F08B8007,057CF33B,BundleUpgradeCode,00FF13BB,00000000,00000000,F08B8007,057CF33B,00020006,00000000,?,?,C5330104), ref: 01024236
                                            • lstrlenW.KERNEL32(F08B8007,00020006,00000001,F08B8007,00020006,00000001,BundleUpgradeCode,00FF13BB,00000000), ref: 01024297
                                            • lstrlenW.KERNEL32(F08B8007), ref: 0102429E
                                            • RegSetValueExW.KERNELBASE(00020006,00000000,00000000,00000007,00020006,00000000,00000001,00000000,00000000,00020006,00000001,BundleUpgradeCode,00FF13BB,00000000), ref: 010242DA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: lstrlen$Value
                                            • String ID: BundleUpgradeCode$regutil.cpp
                                            • API String ID: 198323757-1648651458
                                            • Opcode ID: 1514e6e6fe2d934475f3be3e5cd2d138b7614384c18d9abb9a8b13893bf09749
                                            • Instruction ID: 8cdd92bac9066fefa6a24c67b9ff8379887ee253a09be834c1c0813d7bdcae7d
                                            • Opcode Fuzzy Hash: 1514e6e6fe2d934475f3be3e5cd2d138b7614384c18d9abb9a8b13893bf09749
                                            • Instruction Fuzzy Hash: F9414971E0022AEFDB11DFA5C980AAEBBB9FF04354F1044A5EA94F7110D775EA148BA0
                                            Function 0100CBA8 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 105COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0100CC0A
                                            Strings
                                            • Failed to format property string part., xrefs: 0100CC78
                                            • %s%="%s", xrefs: 0100CC30
                                            • Failed to escape string., xrefs: 0100CC71
                                            • Failed to format property value., xrefs: 0100CC6A
                                            • Failed to append property string part., xrefs: 0100CC7F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Open@16
                                            • String ID: %s%="%s"$Failed to append property string part.$Failed to escape string.$Failed to format property string part.$Failed to format property value.
                                            • API String ID: 3613110473-515423128
                                            • Opcode ID: 6b55f7338316b585207df8ada144d5db9e9c32d58424aab3c031a7dc3c6201c7
                                            • Instruction ID: 7edcdf16d023370214996767e0976ec642ea85e99e9978bda3b2fa59736fb25b
                                            • Opcode Fuzzy Hash: 6b55f7338316b585207df8ada144d5db9e9c32d58424aab3c031a7dc3c6201c7
                                            • Instruction Fuzzy Hash: E0315272D0421EEBFF12AF98CE81CEEBBB4FB04204F1446AAE691A3190D7715E519B51
                                            Function 00FFF457 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 94COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to read action., xrefs: 00FFF4D9
                                            • Failed to execute package dependency action., xrefs: 00FFF532
                                            • Failed to read package id from message buffer., xrefs: 00FFF496
                                            • Failed to read bundle dependency key from message buffer., xrefs: 00FFF4B9
                                            • Failed to find package: %ls, xrefs: 00FFF511
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to execute package dependency action.$Failed to find package: %ls$Failed to read action.$Failed to read bundle dependency key from message buffer.$Failed to read package id from message buffer.
                                            • API String ID: 2102423945-4197210911
                                            • Opcode ID: f4c94975e3688400693dfda5e3691425c19d7bc5867322a1b8bf305b528606b6
                                            • Instruction ID: c11725f335816acb7368b385ae56dab31eaedfc0f3ecf8b59e531503dd252e05
                                            • Opcode Fuzzy Hash: f4c94975e3688400693dfda5e3691425c19d7bc5867322a1b8bf305b528606b6
                                            • Instruction Fuzzy Hash: 9A312A72D0022DBBCF12EED4EC41AEEBA79AF14710F144165FA40BA1A0DB719E58A791
                                            Function 010204B3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcessToken.ADVAPI32(?,00000008,00000000,76EEC3F0,?,00000000), ref: 010204D5
                                            • GetLastError.KERNEL32 ref: 010204DF
                                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),?,00000004,?), ref: 01020512
                                            • GetLastError.KERNEL32 ref: 0102052B
                                            • CloseHandle.KERNELBASE(00000000), ref: 0102056B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                            • String ID: procutil.cpp
                                            • API String ID: 4040495316-1178289305
                                            • Opcode ID: 4700a910b77fefa393312ddeef1b4d538efe62499ca970ff8aa051971c6ecfe4
                                            • Instruction ID: 35b525a29bbbdd0bf068efdfa3337f90af3c535ad243e4369fac27e6b58ca8af
                                            • Opcode Fuzzy Hash: 4700a910b77fefa393312ddeef1b4d538efe62499ca970ff8aa051971c6ecfe4
                                            • Instruction Fuzzy Hash: 4621C672A40236EFDB319EA8D8C4AEEBBB8EB04350F114479F695EA054D2798A048790
                                            Function 01007C65 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 74COMMON
                                            Download Yara Rule
                                            APIs
                                            • InitializeAcl.ADVAPI32(00000000,00000008,00000002,0000001A,00000000,00000000,00000000,00000000,00000000), ref: 01007CA3
                                            • GetLastError.KERNEL32 ref: 01007CAD
                                            • SetFileAttributesW.KERNELBASE(00000000,00000080,00000000,00000001,20000004,00000000,00000000,00000000,00000000,00000003,000007D0,00000000,00000000,00000000,00000000), ref: 01007D15
                                            Strings
                                            • cache.cpp, xrefs: 01007CD2
                                            • Failed to initialize ACL., xrefs: 01007CDC
                                            • Failed to allocate administrator SID., xrefs: 01007C94
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileInitializeLast
                                            • String ID: Failed to allocate administrator SID.$Failed to initialize ACL.$cache.cpp
                                            • API String ID: 669721577-1117388985
                                            • Opcode ID: adf5807688f779646d79d2f555f96c45830280c734cd65fd8e6fbbc98c9487ea
                                            • Instruction ID: d9508cbec70b617f3fd6f85ed8711078693cf80bdd50bb54d1dbe0e939418d59
                                            • Opcode Fuzzy Hash: adf5807688f779646d79d2f555f96c45830280c734cd65fd8e6fbbc98c9487ea
                                            • Instruction Fuzzy Hash: 1011EC72A40219BAFB326A95CC45FEEBBBDAF50710F204165FAC5FA0C0E6795E00D790
                                            Function 010253D2 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 010253E1
                                            • InterlockedIncrement.KERNEL32(01047F08), ref: 010253FE
                                            • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,01047EF8), ref: 01025419
                                            • CLSIDFromProgID.OLE32(MSXML.DOMDocument,01047EF8), ref: 01025425
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FromProg$IncrementInitializeInterlocked
                                            • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                            • API String ID: 2109125048-2356320334
                                            • Opcode ID: 39ed57ff49128b5b9a767df3d7bfaac55a1efa9c1a33f63b0a3fac594787c832
                                            • Instruction ID: a79a4b0c046abd7fc9e72a399f3a74cbfa3984a32fb87025e63099f879b3fe65
                                            • Opcode Fuzzy Hash: 39ed57ff49128b5b9a767df3d7bfaac55a1efa9c1a33f63b0a3fac594787c832
                                            • Instruction Fuzzy Hash: 95F0E570780231A7D3311A7ABC88B5B7EA4EBC0B66F601829FED0C5408DF95984287B0
                                            Function 010012A0 Relevance: 9.1, APIs: 6, Instructions: 84windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 010012CB
                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 010012DA
                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 010012EE
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 010012FE
                                            • GetWindowLongW.USER32(?,000000EB), ref: 01001318
                                            • PostQuitMessage.USER32(00000000), ref: 01001373
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Window$Long$Proc$MessagePostQuit
                                            • String ID:
                                            • API String ID: 3812958022-0
                                            • Opcode ID: 1086389c096e26fc61dec83490dc4aa6118865115ff0297b65e71f029c7d2946
                                            • Instruction ID: 2050aaabcde4518959aded805f797a02ec0a94c5710b2f23f23f35f1f2940ae0
                                            • Opcode Fuzzy Hash: 1086389c096e26fc61dec83490dc4aa6118865115ff0297b65e71f029c7d2946
                                            • Instruction Fuzzy Hash: F821C572104209BFEB225F68DC49D6E7BAAFF44310F58C624FA96961E4C731DE20DB50
                                            Function 01000EF0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 161synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • elevation.cpp, xrefs: 010010CD
                                            • Unexpected elevated message sent to child process, msg: %u, xrefs: 010010DC
                                            • Failed to save state., xrefs: 01000FB5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandleMutexRelease
                                            • String ID: Failed to save state.$Unexpected elevated message sent to child process, msg: %u$elevation.cpp
                                            • API String ID: 4207627910-1576875097
                                            • Opcode ID: e8c6352d29c59ed627d78573fdb2fbb3b79752fa0167541ed5ddd911ca0a5a73
                                            • Instruction ID: 521e384db8836731d49c1eb8e015aebaac90559aa65bb7b0f8b2578d985442fa
                                            • Opcode Fuzzy Hash: e8c6352d29c59ed627d78573fdb2fbb3b79752fa0167541ed5ddd911ca0a5a73
                                            • Instruction Fuzzy Hash: 5E51E67A104604EFDB26AF44CD41D6ABBB2FF08360B01C459FE9A5B676C736E910EB11
                                            Function 01016610 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 114COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?), ref: 010166D3
                                            • GetLastError.KERNEL32 ref: 010166DD
                                            Strings
                                            • cabextract.cpp, xrefs: 01016707
                                            • Invalid seek type., xrefs: 0101664C
                                            • Failed to move file pointer 0x%x bytes., xrefs: 01016714
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$cabextract.cpp
                                            • API String ID: 2976181284-417918914
                                            • Opcode ID: 7b4c1a45f2e0a2d564cfcc53866ba6c06c7631d086b3cd673a3551d86f66bffe
                                            • Instruction ID: b12da784ac147805ab9e1a74876778eca89c02c2df3e325f49e4aa87ddfff66d
                                            • Opcode Fuzzy Hash: 7b4c1a45f2e0a2d564cfcc53866ba6c06c7631d086b3cd673a3551d86f66bffe
                                            • Instruction Fuzzy Hash: 8A418F35900206EFCB10CF6CC884A99BBF5FF48364F1581A5E958EB255E77AE910CF50
                                            Function 0102607F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON
                                            Download Yara Rule
                                            APIs
                                            • MoveFileExW.KERNELBASE(00000003,00000001,000007D0,?,00000000,?,?,?,010261A6,00000003,00000001,00000001,00000000,00000000,00000000), ref: 010260AC
                                            • GetLastError.KERNEL32(?,?,?,010261A6,00000003,00000001,00000001,00000000,00000000,00000000,?,0100787B,?,00000000,00000001,00000001), ref: 010260BA
                                            • MoveFileExW.KERNELBASE(00000003,00000001,000007D0,00000001,00000000,?,?,?,010261A6,00000003,00000001,00000001,00000000,00000000,00000000), ref: 0102611E
                                            • GetLastError.KERNEL32(?,?,?,010261A6,00000003,00000001,00000001,00000000,00000000,00000000,?,0100787B,?,00000000,00000001,00000001), ref: 01026128
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastMove
                                            • String ID: fileutil.cpp
                                            • API String ID: 55378915-2967768451
                                            • Opcode ID: bfb8cd97f5fd22ebae59450ef42770c4a6ba98a17667fc5bf688a20cf0e17369
                                            • Instruction ID: 551c0420053036dfe8cf11a7629616079bf3b580db39a1d58471214db1d2304b
                                            • Opcode Fuzzy Hash: bfb8cd97f5fd22ebae59450ef42770c4a6ba98a17667fc5bf688a20cf0e17369
                                            • Instruction Fuzzy Hash: 0A21D335A00636EBEF724E59C880A7F7AA8EF80750F3804A9FDC5D6142DA3BDD519390
                                            Function 01025F4C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CopyFileW.KERNELBASE(00000000,00000000,00000000,?,?,00000000,?,01026059,00000000,00000000,?,?,?,01007B9B,00000000,?), ref: 01025F66
                                            • GetLastError.KERNEL32(?,01026059,00000000,00000000,?,?,?,01007B9B,00000000,?,00000001,00000003,000007D0,?,?,01009CB4), ref: 01025F74
                                            • CopyFileW.KERNEL32(00000000,00000000,?,00000000,00000000,?,01026059,00000000,00000000,?,?,?,01007B9B,00000000,?,00000001), ref: 01025FD8
                                            • GetLastError.KERNEL32(?,01026059,00000000,00000000,?,?,?,01007B9B,00000000,?,00000001,00000003,000007D0,?,?,01009CB4), ref: 01025FE2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CopyErrorFileLast
                                            • String ID: fileutil.cpp
                                            • API String ID: 374144340-2967768451
                                            • Opcode ID: e9f0ea7a98040e5994ec556eb449728320a8d6373bffe22c11f43a76f4aef742
                                            • Instruction ID: a541b24fd3c697c85affcb5a28727ca1fe195134338996edb9cf771ff5044fc9
                                            • Opcode Fuzzy Hash: e9f0ea7a98040e5994ec556eb449728320a8d6373bffe22c11f43a76f4aef742
                                            • Instruction Fuzzy Hash: 9121CC355102329BDB730E598CA8B7F3AA8EF80750B240479FDD4C6150DB3FC841A359
                                            Function 010113F4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 79registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?,?,00000000), ref: 01011473
                                            • RegCloseKey.ADVAPI32(?,-80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00020019,?,?,?,00000000,?,?,?,?,00000001,00000000), ref: 010114BD
                                            Strings
                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 01011410
                                            • Failed to enumerate uninstall key for related bundles., xrefs: 01011497
                                            • Failed to open uninstall registry key., xrefs: 0101143C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCompareOpenString
                                            • String ID: Failed to enumerate uninstall key for related bundles.$Failed to open uninstall registry key.$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                            • API String ID: 2817536665-2531018330
                                            • Opcode ID: fe797b84fb697d9e31fa4d62a160d605d89ac65231a59a324e586c4de312e7b7
                                            • Instruction ID: d07071dc1c300ab6fe6520d194fd6c1062b3de30e3534ffb72009697d07730e5
                                            • Opcode Fuzzy Hash: fe797b84fb697d9e31fa4d62a160d605d89ac65231a59a324e586c4de312e7b7
                                            • Instruction Fuzzy Hash: C421D637C80229FBCF25AFE8DC849DEBB75EF04620F248169EB9177054C6394A809790
                                            Function 01026BE2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(00000003,00000001,00000000,00000001,?,0102610B,00000001,00000000,?,?,?,010261A6,00000003,00000001,00000001,00000000), ref: 01026BF0
                                            • GetLastError.KERNEL32(?,0102610B,00000001,00000000,?,?,?,010261A6,00000003,00000001,00000001,00000000,00000000,00000000,?,0100787B), ref: 01026BFE
                                              • Part of subcall function 01026BB7: GetFileAttributesW.KERNEL32(00000003,00000000,?,01026C1B,00000003,00000000,?,0102610B,00000001,00000000,?,?,?,010261A6,00000003,00000001), ref: 01026BC0
                                              • Part of subcall function 01026BE2: CreateDirectoryW.KERNELBASE(00000003,00000001,00000000,?,0102610B,00000001,00000000,?,?,?,010261A6,00000003,00000001,00000001,00000000,00000000), ref: 01026C79
                                              • Part of subcall function 01026BE2: GetLastError.KERNEL32(?,0102610B,00000001,00000000,?,?,?,010261A6,00000003,00000001,00000001,00000000,00000000,00000000,?,0100787B), ref: 01026C83
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateDirectoryErrorLast$AttributesFile
                                            • String ID: dirutil.cpp
                                            • API String ID: 925696554-2193988115
                                            • Opcode ID: afb189fdbd38940c9050a065268681f7024ca9819f2af8529c449dfdf2dc1ebd
                                            • Instruction ID: 5c718bd7faad188f2e679c636d866ec497ba8d3fae52af3bed545629879df73a
                                            • Opcode Fuzzy Hash: afb189fdbd38940c9050a065268681f7024ca9819f2af8529c449dfdf2dc1ebd
                                            • Instruction Fuzzy Hash: 4611D676A1022ED6EF712EAA8C54B7A3AD9EFC4750B714479FDD9DB100DA3BC8418360
                                            Function 01010C17 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to open attached container., xrefs: 01010C95
                                            • Failed to get path for executing module., xrefs: 01010C77
                                            • Failed to get container information for UX container., xrefs: 01010C60
                                            • WixBundleElevated, xrefs: 01010C1D
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to get container information for UX container.$Failed to get path for executing module.$Failed to open attached container.$WixBundleElevated
                                            • API String ID: 2102423945-2733515141
                                            • Opcode ID: d1df8730c98bc273889356082a1ab53d1edc164b98384bfd236091e64ff9be92
                                            • Instruction ID: 59eed1eff9b4ea4c17290c882dd6bd12b73face62584313d9defc6b6b5ec91c6
                                            • Opcode Fuzzy Hash: d1df8730c98bc273889356082a1ab53d1edc164b98384bfd236091e64ff9be92
                                            • Instruction Fuzzy Hash: 00118172D0022CBACB11EBE9DD45CEEB7BCAB54304B10426AF5D6F7148E6344E419B90
                                            Function 00FF1033 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00FF1057
                                            • InitializeCriticalSection.KERNEL32(?,?,0000011C), ref: 00FF1060
                                            • GetCurrentProcess.KERNEL32(00000000,?,?,?,0000011C), ref: 00FF107E
                                              • Part of subcall function 010204B3: OpenProcessToken.ADVAPI32(?,00000008,00000000,76EEC3F0,?,00000000), ref: 010204D5
                                              • Part of subcall function 010204B3: GetLastError.KERNEL32 ref: 010204DF
                                              • Part of subcall function 010204B3: CloseHandle.KERNELBASE(00000000), ref: 0102056B
                                              • Part of subcall function 0102044D: _memset.LIBCMT ref: 01020475
                                            Strings
                                            • Failed to initialize engine section., xrefs: 00FF10C9
                                            • Failed to verify elevation state., xrefs: 00FF10B0
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalInitializeProcessSection$CloseCurrentErrorHandleLastOpenToken_memset
                                            • String ID: Failed to initialize engine section.$Failed to verify elevation state.
                                            • API String ID: 3456115775-3203524654
                                            • Opcode ID: 3cc73631216010be71ab70a558ff6122ce75eaadd479d67c74f6396d7421fccb
                                            • Instruction ID: 91700213a34f114e636d9c49d4f702533c0a7dc69350adbeeb28ba349a221a45
                                            • Opcode Fuzzy Hash: 3cc73631216010be71ab70a558ff6122ce75eaadd479d67c74f6396d7421fccb
                                            • Instruction Fuzzy Hash: BD1186B2900729EAD730A6B4CC06BDB73DCAF00365F14451AFA56D7190EE78D9009BA5
                                            Function 0102360E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0102303C: _memset.LIBCMT ref: 01023063
                                              • Part of subcall function 0102303C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01023078
                                              • Part of subcall function 0102303C: LoadLibraryW.KERNELBASE(?,?,00000104,00FF1C3B), ref: 010230C6
                                              • Part of subcall function 0102303C: GetLastError.KERNEL32 ref: 010230D2
                                            • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 01023639
                                            • GetLastError.KERNEL32(?,00FF16AF,00000001,00000000,?,?,?,?,00FF1DEA,?,?), ref: 01023648
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$AddressDirectoryLibraryLoadProcSystem_memset
                                            • String ID: SRSetRestorePointW$srclient.dll$srputil.cpp
                                            • API String ID: 2131201312-398595594
                                            • Opcode ID: d739c0c61e034b9ee5393c83442e21748633e09cc4b57d284b1ade3b2e267ff6
                                            • Instruction ID: bbb19124ed8250a46052a3e83c79d234b4b103bcd72f76c3469250af63e751fb
                                            • Opcode Fuzzy Hash: d739c0c61e034b9ee5393c83442e21748633e09cc4b57d284b1ade3b2e267ff6
                                            • Instruction Fuzzy Hash: C801DB75A4023397D7322696584D756395C7B0C761F168275EEC09E300D76EDC448BD5
                                            Function 01023945 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 153registrystringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,?,?), ref: 0102396E
                                            • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,?), ref: 010239A6
                                            • lstrlenW.KERNEL32(00000000,?,00000000,00000000,?,?,00000004,00000000,?,?,?,?,?,00020019,00000000,?), ref: 01023AB0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: QueryValue$lstrlen
                                            • String ID: regutil.cpp
                                            • API String ID: 3790715954-955085611
                                            • Opcode ID: 1956cfd6080cfc75df18d17bcd151e6795cfb9e913b263364bec1d760dc0bf6b
                                            • Instruction ID: c8939fb4ba113e378acb5b4dfbb18ac91cd7c2042849833b43b518cc8ed7bc0e
                                            • Opcode Fuzzy Hash: 1956cfd6080cfc75df18d17bcd151e6795cfb9e913b263364bec1d760dc0bf6b
                                            • Instruction Fuzzy Hash: 30515775E00139EFDB21DF98C8849EEB7B5BB08354F154576EA91AF240D7399E01CB50
                                            Function 01023E01 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegEnumKeyExW.KERNELBASE(?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000002,?,00000000,00000000,?,?,01011458), ref: 01023E5B
                                            • RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,01011458,?), ref: 01023E7D
                                            • RegEnumKeyExW.KERNELBASE(?,?,?,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,01011458,?,?,?), ref: 01023EC8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Enum$InfoQuery
                                            • String ID: regutil.cpp
                                            • API String ID: 73471667-955085611
                                            • Opcode ID: 4ec578bb0271093b4a395e8303279e67a8432934a8bef78dcfcfd2a53c372b15
                                            • Instruction ID: 671eb4cafd4988c550cb52ad0fba827b76ce7a44d2aa7baddf940f3fe0d1b32b
                                            • Opcode Fuzzy Hash: 4ec578bb0271093b4a395e8303279e67a8432934a8bef78dcfcfd2a53c372b15
                                            • Instruction Fuzzy Hash: C5318F71602235FBDB219A95DC88DAFBEBCFF4DB50F200865F685DA050D2798E44DBA0
                                            Function 01011334 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            • RegCloseKey.KERNELBASE(00000000,00000000,00000000,?,?,00020019,00000000,?,?,?,?,01011490,?,?,?), ref: 010113E7
                                            Strings
                                            • Failed to open uninstall key for potential related bundle: %ls, xrefs: 0101135B
                                            • Failed to initialize package from related bundle id: %ls, xrefs: 010113C4
                                            • Failed to ensure there is space for related bundles., xrefs: 01011393
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseOpen
                                            • String ID: Failed to ensure there is space for related bundles.$Failed to initialize package from related bundle id: %ls$Failed to open uninstall key for potential related bundle: %ls
                                            • API String ID: 47109696-1717420724
                                            • Opcode ID: 7538ab758b8611c2b227347c5d0f56b026c613e97040598d1713682d45b6523a
                                            • Instruction ID: f153a472383fb0f87415e2c48124a3184bae52d4d71112ab848340a836dcb3d0
                                            • Opcode Fuzzy Hash: 7538ab758b8611c2b227347c5d0f56b026c613e97040598d1713682d45b6523a
                                            • Instruction Fuzzy Hash: CC21D576640209FFEB169AA5DC45FEE7BBDEB40700F208029FA85E654CE778DE009720
                                            Function 0101657B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010164A1: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,?,?,010165A9,?,?), ref: 010164C6
                                              • Part of subcall function 010164A1: GetLastError.KERNEL32(?,010165A9,?,?), ref: 010164D0
                                            • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?), ref: 010165B7
                                            • GetLastError.KERNEL32 ref: 010165C1
                                            Strings
                                            • cabextract.cpp, xrefs: 010165E6
                                            • Failed to read during cabinet extraction., xrefs: 010165F0
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLast$PointerRead
                                            • String ID: Failed to read during cabinet extraction.$cabextract.cpp
                                            • API String ID: 2170121939-2426083571
                                            • Opcode ID: 565af4285c86ac15fddd1a87d6f199426ae49264be91bc15739ec085f1bf6dd9
                                            • Instruction ID: 5d6dd62b767b062e4e290295c251dae63cf501a0fef449e0f3c740dce119bdc9
                                            • Opcode Fuzzy Hash: 565af4285c86ac15fddd1a87d6f199426ae49264be91bc15739ec085f1bf6dd9
                                            • Instruction Fuzzy Hash: 15010036600206EBCB218F69DD04E9A3BF8EF84764F200268F954D7188DB7AE900DB20
                                            Function 01026791 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(E90102F2,40000000,00000001,00000000,00000002,00000080,00000000,00000000,00FF7089,?,00FF5F7A,00FF7089,00000080,E90102F2,00000000), ref: 010267A9
                                            • GetLastError.KERNEL32(?,00FF5F7A,00FF7089,00000080,E90102F2,00000000,?,?,00FF7089,00FF13BB,?,?,?,?,?,DisplayName), ref: 010267B6
                                            • CloseHandle.KERNELBASE(00000000,00000000,00FF7089,00FF5F7A,?,00FF5F7A,00FF7089,00000080,E90102F2,00000000,?,?,00FF7089,00FF13BB), ref: 0102680B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorFileHandleLast
                                            • String ID: fileutil.cpp
                                            • API String ID: 2528220319-2967768451
                                            • Opcode ID: 36528e6b63b297e00cbedc02ecea437e5e0fe7a909fde0b598160b5ed3d4f123
                                            • Instruction ID: a738e8f23b2443b74b6979e6323ebb12688e07ed2b36a6eb7b7fc74d83d267c7
                                            • Opcode Fuzzy Hash: 36528e6b63b297e00cbedc02ecea437e5e0fe7a909fde0b598160b5ed3d4f123
                                            • Instruction Fuzzy Hash: FB01D472200126A7D7321D69AC45F9A3E55AB81B30F254330FFE4AA1D0EB77C81153A4
                                            Function 010164A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,00000000,?,?,010165A9,?,?), ref: 010164C6
                                            • GetLastError.KERNEL32(?,010165A9,?,?), ref: 010164D0
                                            Strings
                                            • cabextract.cpp, xrefs: 010164F5
                                            • Failed to move to virtual file pointer., xrefs: 010164FF
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID: Failed to move to virtual file pointer.$cabextract.cpp
                                            • API String ID: 2976181284-3005670968
                                            • Opcode ID: edc47e9b83f416e86cc81abe31b043b642ebfc154ff426708c76071f9e92cff8
                                            • Instruction ID: 04d70a45707d90e575902e9d47400083934b5971e8f6fb5b5c6b93bf0b73e3ee
                                            • Opcode Fuzzy Hash: edc47e9b83f416e86cc81abe31b043b642ebfc154ff426708c76071f9e92cff8
                                            • Instruction Fuzzy Hash: E70149332407137BD3721A5ACC04F5B7BE9EF80B60F248029FA84CA154DABFE4009754
                                            Function 0102303C Relevance: 6.1, APIs: 4, Instructions: 68libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 01023063
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01023078
                                            • LoadLibraryW.KERNELBASE(?,?,00000104,00FF1C3B), ref: 010230C6
                                            • GetLastError.KERNEL32 ref: 010230D2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: DirectoryErrorLastLibraryLoadSystem_memset
                                            • String ID:
                                            • API String ID: 1376650706-0
                                            • Opcode ID: 3f550effc91a1dd90a8a31beecbbaf2eff8f0bddb2be7238235df4c3d380c4df
                                            • Instruction ID: a4e43b79265b9a5c34fcb5135f8b9e6646edc12b98569ab9cbcd4ea2027078bc
                                            • Opcode Fuzzy Hash: 3f550effc91a1dd90a8a31beecbbaf2eff8f0bddb2be7238235df4c3d380c4df
                                            • Instruction Fuzzy Hash: A711E9B660032AA7DB309B65DC99F9B7BACAF88710F204075FA54DB141EE3DD9448B60
                                            Function 01028C8C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 102registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010288C8: lstrlenW.KERNEL32(?,?,?,010289E8,?,?,?,00000000,?,?,?,0100FB81,?,?,?,00000000), ref: 010288EB
                                            • RegCloseKey.ADVAPI32(00000000,00FF13BB,?,?,00FF13BB,00000000,00000000,?,00FF13BB,00000001,00000000), ref: 01028D71
                                            • RegCloseKey.ADVAPI32(00000001,00FF13BB,?,?,00FF13BB,00000000,00000000,?,00FF13BB,00000001,00000000), ref: 01028D8B
                                              • Part of subcall function 01023D2A: RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00FF13BB,?,?,00000001,?,00FF727D,?,00FF13BB,00020006,00000001), ref: 01023D4E
                                              • Part of subcall function 01024111: RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00FF6994,00000000,?,00020006), ref: 01024144
                                              • Part of subcall function 01024111: RegDeleteValueW.KERNELBASE(00020006,?,00000001,?,?,00FF6994,00000000,?,00020006,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 01024173
                                              • Part of subcall function 01023C39: RegSetValueExW.KERNELBASE(?,00020006,00000000,00000004,00FF68EA,00000004,00000001,?,00FF68EA,00020006,Resume,00FF13BB,00000000,00000000,?,?), ref: 01023C4E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Value$Close$CreateDeletelstrlen
                                            • String ID: %ls\%ls
                                            • API String ID: 3924016894-2125769799
                                            • Opcode ID: 4e21118595ba12640769cec4aed1bf38e379ad486c2b0a303cad3bfb134f472c
                                            • Instruction ID: be313928d71fa36f72adedcc3c84d39924654b10be298012536498678f098866
                                            • Opcode Fuzzy Hash: 4e21118595ba12640769cec4aed1bf38e379ad486c2b0a303cad3bfb134f472c
                                            • Instruction Fuzzy Hash: AC31FD7590123DFFCF22AFD4ED808DEBFB9EB18B00B148466F694A2114E3764A559B90
                                            Function 0102369C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: d$srputil.cpp
                                            • API String ID: 2102423945-1161740003
                                            • Opcode ID: 9478c1d46ef92243e3404cc5f88a7e087fc6536e08a6095498e41b9a5a46da5b
                                            • Instruction ID: dfeb8ed20eb53c8861e29ae604057dca4072dfea1b9c6ad3c0e10033c9a973a6
                                            • Opcode Fuzzy Hash: 9478c1d46ef92243e3404cc5f88a7e087fc6536e08a6095498e41b9a5a46da5b
                                            • Instruction Fuzzy Hash: 6611A572A4022AABDF34DAB8CC85EEA77E8FB18704F004579D645DF141DA79D9088B50
                                            Function 01024111 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00FF6994,00000000,?,00020006), ref: 01024144
                                            • RegDeleteValueW.KERNELBASE(00020006,?,00000001,?,?,00FF6994,00000000,?,00020006,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006,00000000), ref: 01024173
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Value$Delete
                                            • String ID: regutil.cpp
                                            • API String ID: 1738766685-955085611
                                            • Opcode ID: e01672337e9b0a09b64d534692521064b2ec060b04a74103391ef7c92c8e46aa
                                            • Instruction ID: 8243fd53a151f8f244da60b8f8506f07d400358c332c794f768f81f3c8a9a423
                                            • Opcode Fuzzy Hash: e01672337e9b0a09b64d534692521064b2ec060b04a74103391ef7c92c8e46aa
                                            • Instruction Fuzzy Hash: 2E11C232A51237B7EB314E589C05BAE7DA5EF21B60F250274FE90EA190D776DD108BD0
                                            Function 0102013A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(00000001,00000000,00000000,00000000,00000000,00000000,20000004,?,01007D0B,00000000,00000001,20000004,00000000,00000000,00000000,00000000), ref: 0102016B
                                            • SetNamedSecurityInfoW.ADVAPI32(00000000,000007D0,00000003,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,20000004,?,01007D0B,00000000), ref: 01020186
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: InfoNamedSecuritySleep
                                            • String ID: aclutil.cpp
                                            • API String ID: 2352087905-2159165307
                                            • Opcode ID: cb76ec2b97a7341ea64394e73eef385e0ead6e89784c266ddbfd91b1ec960ce0
                                            • Instruction ID: 2f7a10e3eeaf53fcdbd49055cb0362cb7dbc605777392cf7ab45b1f42ac48f66
                                            • Opcode Fuzzy Hash: cb76ec2b97a7341ea64394e73eef385e0ead6e89784c266ddbfd91b1ec960ce0
                                            • Instruction Fuzzy Hash: FC01A53390022AFBDF224E84CC01FDE7E75AF44754F250164FE8466164C37AC911E790
                                            Function 01025D92 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,01025EC1,?,?,00000000), ref: 01025DB4
                                            • GetLastError.KERNEL32(?,?,01025EC1,?,?,00000000), ref: 01025DBE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: fileutil.cpp
                                            • API String ID: 442123175-2967768451
                                            • Opcode ID: a780143b0d949211b45321dab10a8ad1cd51ac97cf4873cc995f8f4e683c4362
                                            • Instruction ID: 892b719228b2d4c38f9465db648806235ee66337876141afda8fc41e3a680e61
                                            • Opcode Fuzzy Hash: a780143b0d949211b45321dab10a8ad1cd51ac97cf4873cc995f8f4e683c4362
                                            • Instruction Fuzzy Hash: DEF04F72700126ABD721AE5ACC49FEF7FADEF90A60F244024F959D7100EA35EA0197A4
                                            Function 01025C4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,010081A9,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 01025C65
                                            • GetLastError.KERNEL32(?,010081A9,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,01009C26,00000000,?), ref: 01025C6F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID: fileutil.cpp
                                            • API String ID: 2976181284-2967768451
                                            • Opcode ID: 3d97894a2832a1ea06b0108385d3edcb226daf4bcbfa945ec024bc83ea3b7699
                                            • Instruction ID: 7f6c4af8c82bf371f81a3d61855cdb1f3ba7e060ce0c757dc6bf0dea51fb793e
                                            • Opcode Fuzzy Hash: 3d97894a2832a1ea06b0108385d3edcb226daf4bcbfa945ec024bc83ea3b7699
                                            • Instruction Fuzzy Hash: 42F04F7160022EAFDB218F59DC49EEA7FA8EF047A0B218125FD58DB210E635D9109BE4
                                            Function 0100125F Relevance: 4.5, APIs: 3, Instructions: 21synchronizationwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(?), ref: 0100126D
                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 01001283
                                            • WaitForSingleObject.KERNEL32(?,00003A98,?,00FF1A88,?,00000000,?,?,?,?,?,00000001,?,?,?,?), ref: 01001294
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: MessageObjectPostSingleWaitWindow
                                            • String ID:
                                            • API String ID: 1391784381-0
                                            • Opcode ID: c69fac9e0ca67b020cf8c413f863e247881b75c525b869a15ad47059645ff0f0
                                            • Instruction ID: ee775fec3beb9f0323b1aa49d75deb5a99d535e10184ab6bf07c33ef41aa44d4
                                            • Opcode Fuzzy Hash: c69fac9e0ca67b020cf8c413f863e247881b75c525b869a15ad47059645ff0f0
                                            • Instruction Fuzzy Hash: DBE08631340305B7D6361E55EC09F96FF2CFB55B91F140026F748B5090C7B665209794
                                            Function 01022AAE Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,?,?,0101FDBF,?,?,?,00000000,00000000,?,75C0B390,?,?,?,01020138,?), ref: 01022AB6
                                            • RtlFreeHeap.NTDLL(00000000,?,0101FDBF,?,?,?,00000000,00000000,?,75C0B390,?,?,?,01020138,?,?), ref: 01022ABD
                                            • GetLastError.KERNEL32(?,0101FDBF,?,?,?,00000000,00000000,?,75C0B390,?,?,?,01020138,?,?,?), ref: 01022ACB
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$ErrorFreeLastProcess
                                            • String ID:
                                            • API String ID: 406640338-0
                                            • Opcode ID: f0d83e5aa03e1d2805bba68fc3bf579364c27faa73961be6e3a19d31930af92e
                                            • Instruction ID: fdab5d029508aba739151541e8146b0ab9324100ddeb15e0da17e43fc2b440cd
                                            • Opcode Fuzzy Hash: f0d83e5aa03e1d2805bba68fc3bf579364c27faa73961be6e3a19d31930af92e
                                            • Instruction Fuzzy Hash: 88D05E32250206ABD7701EF5A808B2A3F9C9B14751F288534F699C8854DA2ED4909779
                                            Function 0102587E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 99COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 010258B0
                                              • Part of subcall function 010256D9: GetModuleHandleA.KERNEL32(kernel32.dll,?,00000000,?,?,010258C1,00000000,?,00000000), ref: 010256F7
                                              • Part of subcall function 010256D9: GetLastError.KERNEL32(?,?,010258C1,00000000,?,00000000,?,?,?,?,?,?,?,?,01013EC5,00FF2222), ref: 01025703
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHandleInitLastModuleVariant
                                            • String ID: WixBundleElevated
                                            • API String ID: 52713655-4097796520
                                            • Opcode ID: e4cbcb02c094e5993d83fd573104a200b66bc78b3f1a0ad5313e7e0cdb2d9514
                                            • Instruction ID: 424545cb674ebc1d14d3c795a0506f40c219f2529fc9e7556e0894b12d954458
                                            • Opcode Fuzzy Hash: e4cbcb02c094e5993d83fd573104a200b66bc78b3f1a0ad5313e7e0cdb2d9514
                                            • Instruction Fuzzy Hash: 42316176A002199FCB00DFA8CCC4ADEBBF9FF49320F150469E959EB201E735D9048B64
                                            Function 01023D2A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00FF13BB,?,?,00000001,?,00FF727D,?,00FF13BB,00020006,00000001), ref: 01023D4E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID: regutil.cpp
                                            • API String ID: 2289755597-955085611
                                            • Opcode ID: a40a40f15793c96271ee50451062d649793c3486d47d6aae8ce69867ca85560f
                                            • Instruction ID: 0ff541a4197de30333111be82e851ab5ec4f9bd9d1aac29e27b33c18da4b7cdb
                                            • Opcode Fuzzy Hash: a40a40f15793c96271ee50451062d649793c3486d47d6aae8ce69867ca85560f
                                            • Instruction Fuzzy Hash: 5FF0317260023AABDB215E59AC05AAB7F99EF09650F014075FD55DA150D239D920DBE0
                                            Function 01023D9A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID: regutil.cpp
                                            • API String ID: 71445658-955085611
                                            • Opcode ID: 6af4d588f3fd0e4b885e70e0f3ecff90daa99ed54a95f40f3524e4ca341465e6
                                            • Instruction ID: 667940e234f9cf41da9fc06269973ddb3bb86eafc7624a7b501c173bac12d6ab
                                            • Opcode Fuzzy Hash: 6af4d588f3fd0e4b885e70e0f3ecff90daa99ed54a95f40f3524e4ca341465e6
                                            • Instruction Fuzzy Hash: 8EF0E2B670023B6FEB252D99ACC1A7A39A9BF1C664F144039FB86CE151D66ACC109290
                                            Function 01023CDA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCreateKeyExW.KERNELBASE(00020006,?,00000000,00000000,00000000,?,00000000,00FF6976,00000000,00000000,00000001,?,00FF6976,?,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006), ref: 01023CF4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID: regutil.cpp
                                            • API String ID: 2289755597-955085611
                                            • Opcode ID: 3a286bef98a1efcea1b40f3ee01b62236ea9725c4ec5553cfe9fea532213f870
                                            • Instruction ID: 25062ee1eff946cdcb78415c69a522aae5117305addd590637ed55dc727e7423
                                            • Opcode Fuzzy Hash: 3a286bef98a1efcea1b40f3ee01b62236ea9725c4ec5553cfe9fea532213f870
                                            • Instruction Fuzzy Hash: 8EF0657354007577D7312D9BAC0CE977E6AEBD6F60F154528FA58DA010D26A8C10D6E0
                                            Function 01023C39 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 29registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegSetValueExW.KERNELBASE(?,00020006,00000000,00000004,00FF68EA,00000004,00000001,?,00FF68EA,00020006,Resume,00FF13BB,00000000,00000000,?,?), ref: 01023C4E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Value
                                            • String ID: regutil.cpp
                                            • API String ID: 3702945584-955085611
                                            • Opcode ID: 6c1e84310d065a327463d7b9193af5134ba2887034330092e04b207de24b6a75
                                            • Instruction ID: c498bde08e1d5f5cac655c1f62f430abc170223b09222c5de2cf3ee7d9d98ab9
                                            • Opcode Fuzzy Hash: 6c1e84310d065a327463d7b9193af5134ba2887034330092e04b207de24b6a75
                                            • Instruction Fuzzy Hash: 89E06D72A4023A77D630598A9C4AFA77E4CAF14BA0F008134FB44DF080D67AD91097E0
                                            Function 0101911B Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • ___crtCorExitProcess.LIBCMT ref: 01019123
                                              • Part of subcall function 010190F0: GetModuleHandleW.KERNEL32(mscoree.dll,?,01019128,00000000,?,0101BB9F,000000FF,0000001E,00000001,00000000,00000000,?,0101C627,00000000,00000001,00000000), ref: 010190FA
                                              • Part of subcall function 010190F0: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0101910A
                                            • ExitProcess.KERNEL32 ref: 0101912C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                            • String ID:
                                            • API String ID: 2427264223-0
                                            • Opcode ID: 62ca0625c84602a48466d12258593960edb9770947cee3c1d23a22ed5a4dfb19
                                            • Instruction ID: d639afe9ee16d789b87ffb6b359bb7b06de0318dd6ad560832e1776ccaaf54ce
                                            • Opcode Fuzzy Hash: 62ca0625c84602a48466d12258593960edb9770947cee3c1d23a22ed5a4dfb19
                                            • Instruction Fuzzy Hash: D1B09231000209BFCB322F16DC0989D3F3AEB813A0B208020F84809025DF76AE92DA84
                                            Function 01024E96 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                            Download Yara Rule
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID:
                                            • API String ID: 2102423945-0
                                            • Opcode ID: 09c8aad963d0da2988b171c622a1bfd523fe97a0ffa538174feb25c6d6ff2523
                                            • Instruction ID: 3b56f15704220f70545418be57eff7873d921fbc94bfdbff2e5b7a396ce7a1c5
                                            • Opcode Fuzzy Hash: 09c8aad963d0da2988b171c622a1bfd523fe97a0ffa538174feb25c6d6ff2523
                                            • Instruction Fuzzy Hash: 2021E9711041209BEBA8DE2CD898FBA7B95DBD0725F1483AEFA96CA5D5D730C540CB90
                                            Function 01028BC4 Relevance: 1.6, APIs: 1, Instructions: 73registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010288C8: lstrlenW.KERNEL32(?,?,?,010289E8,?,?,?,00000000,?,?,?,0100FB81,?,?,?,00000000), ref: 010288EB
                                            • RegCloseKey.KERNELBASE(00000000,?,8000FFFF,?,?,?,8000FFFF,00000000,?,?,?,00000000,000000B9,01013E1D,?,?), ref: 01028C6E
                                              • Part of subcall function 01023D2A: RegCreateKeyExW.KERNELBASE(00000001,00000000,00000000,00000000,00000000,00000001,00FF13BB,?,?,00000001,?,00FF727D,?,00FF13BB,00020006,00000001), ref: 01023D4E
                                              • Part of subcall function 01024111: RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00FF6994,00000000,?,00020006), ref: 01024144
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateValuelstrlen
                                            • String ID:
                                            • API String ID: 1356686001-0
                                            • Opcode ID: 4f61cf3320b39e3d8d8a76d09dabd7f2ed69acf93a083613ec17ea3ab41b009e
                                            • Instruction ID: f5e14f8b4daa534d299fe4490513262177e8dcfe547858cc5d9af02da788edd7
                                            • Opcode Fuzzy Hash: 4f61cf3320b39e3d8d8a76d09dabd7f2ed69acf93a083613ec17ea3ab41b009e
                                            • Instruction Fuzzy Hash: 15210376C0113DFFCF226F99DD458CDFEB9EB98640B2085A2E99477014E3324A50AB50
                                            Function 01027B31 Relevance: 1.6, APIs: 1, Instructions: 62registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,01047044,00000000,00000000,?,?,01007A2A,WiX\Burn,PackageCache,00000000,01047044,00000000,00000000,00000000), ref: 01027B83
                                              • Part of subcall function 010237DF: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 01023850
                                              • Part of subcall function 010237DF: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 01023889
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: QueryValue$Close
                                            • String ID:
                                            • API String ID: 1979452859-0
                                            • Opcode ID: cb4ddef450876d069b98c528a6fff17e127a644473330770a64e45ac2dc60746
                                            • Instruction ID: 769672148ff60df166b5e61e71de71bb81a41aececd86ae45bd561d36fe674d4
                                            • Opcode Fuzzy Hash: cb4ddef450876d069b98c528a6fff17e127a644473330770a64e45ac2dc60746
                                            • Instruction Fuzzy Hash: 1611867750012AEFDF629EA8DCC0E9EBBF6EBE4258B1544A9EF8193110D7318D50D760
                                            Function 010225A1 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,01007AE2,0000001C,00000000,00000000,00000000,00000000), ref: 010225C2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FolderPath
                                            • String ID:
                                            • API String ID: 1514166925-0
                                            • Opcode ID: ab115de1b9db9cbe6ba2d12d73c41fcd441a2b7adb693e447a8e8646ec102275
                                            • Instruction ID: 8382d9692c49f677240e1ee7e78ed3da05a271e2cd8ddbab9c933359b1a7ab5a
                                            • Opcode Fuzzy Hash: ab115de1b9db9cbe6ba2d12d73c41fcd441a2b7adb693e447a8e8646ec102275
                                            • Instruction Fuzzy Hash: 20E0123134033577D6112AD15C01FCA7B9C6F15751F50C011FFC5A9090C7B2A59047E9
                                            Function 00FF1000 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000), ref: 00FF100C
                                              • Part of subcall function 00FF1B46: _memset.LIBCMT ref: 00FF1BA5
                                              • Part of subcall function 00FF1B46: _memset.LIBCMT ref: 00FF1BC9
                                              • Part of subcall function 00FF1B46: CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00FF1F08
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset$HeapInformationUninitialize
                                            • String ID:
                                            • API String ID: 1504587645-0
                                            • Opcode ID: 7f24a0de193623dd989ec2b72098947796d983e2649c18abc79beca66cb0a198
                                            • Instruction ID: 5aa796e386ce5b006a893743d9cc22c1ca01ea915c69acba24ba594f38a28d56
                                            • Opcode Fuzzy Hash: 7f24a0de193623dd989ec2b72098947796d983e2649c18abc79beca66cb0a198
                                            • Instruction Fuzzy Hash: 06E0B63125024DFBEB11DF91DD46FAE7A6AAB00749F204014BB00A90D1D7B6AA60AB65
                                            Function 01019373 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            • _doexit.LIBCMT ref: 0101937F
                                              • Part of subcall function 01019233: __lock.LIBCMT ref: 01019241
                                              • Part of subcall function 01019233: DecodePointer.KERNEL32(01043350,00000020,0101939A,00000000,00000001,00000000,?,010193DA,000000FF,?,0101BE72,00000011,00000000,?,01019E0F,0000000D), ref: 0101927D
                                              • Part of subcall function 01019233: DecodePointer.KERNEL32(?,010193DA,000000FF,?,0101BE72,00000011,00000000,?,01019E0F,0000000D,?,0102924C,?), ref: 0101928E
                                              • Part of subcall function 01019233: DecodePointer.KERNEL32(-00000004,?,010193DA,000000FF,?,0101BE72,00000011,00000000,?,01019E0F,0000000D,?,0102924C,?), ref: 010192B4
                                              • Part of subcall function 01019233: DecodePointer.KERNEL32(?,010193DA,000000FF,?,0101BE72,00000011,00000000,?,01019E0F,0000000D,?,0102924C,?), ref: 010192C7
                                              • Part of subcall function 01019233: DecodePointer.KERNEL32(?,010193DA,000000FF,?,0101BE72,00000011,00000000,?,01019E0F,0000000D,?,0102924C,?), ref: 010192D1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: DecodePointer$__lock_doexit
                                            • String ID:
                                            • API String ID: 3343572566-0
                                            • Opcode ID: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                            • Instruction ID: f7dd6e33c4136523d7cc0170335e9be3cfce0f51df54853f861d19ff710d5054
                                            • Opcode Fuzzy Hash: b7f9ddcf0c01e83a82a0f1c6c29853ea6c7db7599a0eb0d3eddd439c3244ce42
                                            • Instruction Fuzzy Hash: F1B0123298030C33DA202542EC03F863F0D97D0B64F640021FA0C1D2E0A9A7BB6184C9
                                            Function 00FF131F Relevance: 1.3, APIs: 1, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • TlsGetValue.KERNEL32(?), ref: 00FF1350
                                              • Part of subcall function 01022EB5: lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00FF1371,?,?,?), ref: 01022EBE
                                              • Part of subcall function 01022EB5: _memcpy_s.LIBCMT ref: 01022EF2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Value_memcpy_slstrlen
                                            • String ID:
                                            • API String ID: 32415546-0
                                            • Opcode ID: e7aa52f2bbfc229d6ab22fc116ea252d59b307ae12a2d86d80b0917a1ea4426b
                                            • Instruction ID: 279f0778e8d0291318ae5bf84a65c683b8efa086d8132a8a1d4380e95067321f
                                            • Opcode Fuzzy Hash: e7aa52f2bbfc229d6ab22fc116ea252d59b307ae12a2d86d80b0917a1ea4426b
                                            • Instruction Fuzzy Hash: ED115A76D0011CFFCB219F95C9848EDFBBDBF84320F5045A5E550A7164E6764E44AB90
                                            Function 01021729 Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,00000000,00000000,?,01022CFE,?,0102B5F8,00000000,?,00000000,00000004,00000000,00000004,?,00000000), ref: 0102175A
                                              • Part of subcall function 0102293A: GetProcessHeap.KERNEL32(00000000,?,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 01022942
                                              • Part of subcall function 0102293A: HeapSize.KERNEL32(00000000,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000,?), ref: 01022949
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$ProcessSizelstrlen
                                            • String ID:
                                            • API String ID: 3492610842-0
                                            • Opcode ID: e0d1a4d48c40b8bc40d8989c82c6ab47fb6225e69d3a18163c6af6f2887ef3a4
                                            • Instruction ID: f4645d78b4471fb58f3ee17e6dcd146581c4cfd5c2176d37edddfc74db802ba0
                                            • Opcode Fuzzy Hash: e0d1a4d48c40b8bc40d8989c82c6ab47fb6225e69d3a18163c6af6f2887ef3a4
                                            • Instruction Fuzzy Hash: 6001A232300325BBEB215E69DC84FDE3BBDBBD47A0F104111FA949B180D672E84086A4
                                            Function 01026174 Relevance: 1.3, APIs: 1, Instructions: 34sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(0100787B,00000000,00000000,?,0100787B,?,00000000,00000001,00000001,00000003,000007D0,?,?,00000000), ref: 0102618F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 8cceb9dcde0e8efac4a21e48fa161823fd5fc9bd85640dcf809b25562a721809
                                            • Instruction ID: f49dad9f8a36dd590fa0997c6dfb236dc3d7af05299d0bb17b14cadd0ca8810a
                                            • Opcode Fuzzy Hash: 8cceb9dcde0e8efac4a21e48fa161823fd5fc9bd85640dcf809b25562a721809
                                            • Instruction Fuzzy Hash: DBF0E276080236A7DF324E5C8C04A9E7E94AF40260B3C4117FF88D9032C26BE4A197D6
                                            Function 0102602E Relevance: 1.3, APIs: 1, Instructions: 29sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(00000000,?,?,01007B9B,00000000,?,00000001,00000003,000007D0,?,?,01009CB4,00000000,00000000,00000000,00000000), ref: 01026045
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Sleep
                                            • String ID:
                                            • API String ID: 3472027048-0
                                            • Opcode ID: 78897e14e993e1adb2246c55b03e4c246986209bbc652e95fc0c0195f2fa43a6
                                            • Instruction ID: 72b8b8ef41c74265ba3cc1396db674f312712c194aa8079d43c16d9981fb1f9d
                                            • Opcode Fuzzy Hash: 78897e14e993e1adb2246c55b03e4c246986209bbc652e95fc0c0195f2fa43a6
                                            • Instruction Fuzzy Hash: 09E0A03200003BD69B730D4D9C84B9FBEF4AB00650B248195FF84D9030C32FE4A1AAD6
                                            Function 01016749 Relevance: 1.3, APIs: 1, Instructions: 21COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNELBASE(?,?), ref: 01016784
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 6729be93b4838fc1717533704f17125ad53803d03a1ce2ade268c7894d30bdf8
                                            • Instruction ID: 5029f5cdde44053bbf9851dd75067858dd7f3153009d94696cd940711182869d
                                            • Opcode Fuzzy Hash: 6729be93b4838fc1717533704f17125ad53803d03a1ce2ade268c7894d30bdf8
                                            • Instruction Fuzzy Hash: F2F06D35100604CFDB218F68C888B647BE4BB04735F1583A0FA698B2E1D77AD811CF50

                                            Non-executed Functions

                                            Function 00FF13BA Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 142sleepshutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000020,?), ref: 00FF13E4
                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00FF13EB
                                            • GetLastError.KERNEL32 ref: 00FF13F5
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00FF1445
                                            • GetLastError.KERNEL32 ref: 00FF144F
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 00FF1494
                                            • GetLastError.KERNEL32 ref: 00FF149E
                                            • Sleep.KERNEL32(000003E8), ref: 00FF14DB
                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 00FF14EB
                                            • GetLastError.KERNEL32 ref: 00FF14F5
                                            • CloseHandle.KERNEL32(?), ref: 00FF154F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
                                            • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$engine.cpp
                                            • API String ID: 2241679041-1583736410
                                            • Opcode ID: aadf672edf0519eb07c3fe395ff644d0429bf57e2a51f03f1ea269634828f3cc
                                            • Instruction ID: a26086b5c60ecd5126f9652207120b1e8b8a4268dc731a3240a080db46407a62
                                            • Opcode Fuzzy Hash: aadf672edf0519eb07c3fe395ff644d0429bf57e2a51f03f1ea269634828f3cc
                                            • Instruction Fuzzy Hash: DC41F472E5022BEAD7309EA59CC9ABF7B68BF40750F280039F652FA050E66D8D0057A5
                                            Function 00FF35AD Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 174pipeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00FF35DA
                                            • GetLastError.KERNEL32(00000000,00FF17A1,00FFBD45,00FF130D,?), ref: 00FF35E3
                                            • CreateNamedPipeW.KERNEL32(00FF130D,00080003,00000000,00000001,00010000,00010000,00000001,?,00FF130D,00000000,00FF17A1,00FFBD45,00FF130D,?), ref: 00FF3696
                                            • GetLastError.KERNEL32 ref: 00FF36A0
                                            • CloseHandle.KERNEL32(?,pipe.cpp,0000014E,000000FF), ref: 00FF3726
                                            • LocalFree.KERNEL32(?,00FF130D), ref: 00FF3746
                                            • CreateNamedPipeW.KERNEL32(00FF130D,00080003,00000000,00000001,00010000,00010000,00000001,00000000), ref: 00FF3761
                                            • GetLastError.KERNEL32 ref: 00FF3768
                                            Strings
                                            • Failed to allocate full name of cache pipe: %ls, xrefs: 00FF3715
                                            • Failed to create pipe: %ls, xrefs: 00FF36D7, 00FF379F
                                            • D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD), xrefs: 00FF35D5
                                            • Failed to allocate full name of pipe: %ls, xrefs: 00FF365B
                                            • pipe.cpp, xrefs: 00FF360D, 00FF36CA, 00FF3792
                                            • Failed to create the security descriptor for the connection event and pipe., xrefs: 00FF3617
                                            • \\.\pipe\%ls, xrefs: 00FF3644
                                            • \\.\pipe\%ls.Cache, xrefs: 00FF36FB
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CreateDescriptorNamedPipeSecurity$CloseConvertFreeHandleLocalString
                                            • String ID: D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD)$Failed to allocate full name of cache pipe: %ls$Failed to allocate full name of pipe: %ls$Failed to create pipe: %ls$Failed to create the security descriptor for the connection event and pipe.$\\.\pipe\%ls$\\.\pipe\%ls.Cache$pipe.cpp
                                            • API String ID: 1214480349-3253666091
                                            • Opcode ID: 8a1d22bdeeb5d7322372094d05219f35cb35a40e4cf46bc36789e9500e272db1
                                            • Instruction ID: 85a3adf3b5aabea4a6c2fa2d8502debaf589d1c72d4e17480d4f114a648c3735
                                            • Opcode Fuzzy Hash: 8a1d22bdeeb5d7322372094d05219f35cb35a40e4cf46bc36789e9500e272db1
                                            • Instruction Fuzzy Hash: 9C5170B2D4021AFEDF11AFA1CD45AEEBB74EF14310F204069F650FA2A0D7B59B40AB50
                                            Function 01016FEC Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 148filenetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01025C4F: SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,010081A9,?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 01025C65
                                              • Part of subcall function 01025C4F: GetLastError.KERNEL32(?,010081A9,?,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,01009C26,00000000,?), ref: 01025C6F
                                            • InternetReadFile.WININET(?,00000000,?,?), ref: 0101702E
                                            • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0101705D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: File$ErrorInternetLastPointerReadWrite
                                            • String ID: Failed to seek to start point in file.$Failed to write data from internet.$Failed while reading from internet.$UX aborted on cache progress.$downloadengine.cpp
                                            • API String ID: 1734627056-3175886020
                                            • Opcode ID: 5eb1698e600b7e6a42f90f50a8fd8204cff4dc3db47032a44206926c93e712ed
                                            • Instruction ID: 25521b71b32842241f4fa8f037b5196119a458dea48f29faa8ce009ef65a5f48
                                            • Opcode Fuzzy Hash: 5eb1698e600b7e6a42f90f50a8fd8204cff4dc3db47032a44206926c93e712ed
                                            • Instruction Fuzzy Hash: 12417D76A0030BFFDF219FA8CC84DEE7BBAEF54300B20456AF691E6054D7799A509B11
                                            Function 010201CB Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 136COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • LookupAccountNameW.ADVAPI32(00000000,000000FF,?,?,00000000,000000FF,?), ref: 01020242
                                            • GetLastError.KERNEL32 ref: 01020252
                                            • GetLastError.KERNEL32(?,00000044,00000001), ref: 01020274
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHeapLast$AccountAllocateLookupNameProcess
                                            • String ID: D$aclutil.cpp
                                            • API String ID: 1410359055-2185417647
                                            • Opcode ID: d0ebc9e291d0db9b3dcd87b0699c65bb6784dbfcefb5bbe7ecb4d600ceb29f51
                                            • Instruction ID: 5ee2747b4ecab040642f467c653bedc958868c56fd4920130d05ff030c902641
                                            • Opcode Fuzzy Hash: d0ebc9e291d0db9b3dcd87b0699c65bb6784dbfcefb5bbe7ecb4d600ceb29f51
                                            • Instruction Fuzzy Hash: 5A414D72D4032BEBDB219AD4CC44BAEBBB8AF14754F1181A5FA40FA154E375CA049BA0
                                            Function 01008566 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 137encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CryptHashPublicKeyInfo.CRYPT32(00000000,00008004,00000000,00000001,?,?,00000014), ref: 010085D5
                                            • GetLastError.KERNEL32 ref: 01008671
                                            Strings
                                            • cache.cpp, xrefs: 01008696
                                            • Failed to get certificate public key identifier., xrefs: 010086A0
                                            • Failed to read certificate thumbprint., xrefs: 010086A7
                                            • Failed to find expected public key in certificate chain., xrefs: 010086B9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CryptErrorHashInfoLastPublic
                                            • String ID: Failed to find expected public key in certificate chain.$Failed to get certificate public key identifier.$Failed to read certificate thumbprint.$cache.cpp
                                            • API String ID: 823482589-3408201827
                                            • Opcode ID: c0ec07988811fcac4f8c861b5ed35e0bc972d557a805f26fd8407dfc7d808024
                                            • Instruction ID: d6d024398d02ccb96120674474e9ce4724cebc002990987c8763e50e28a26c14
                                            • Opcode Fuzzy Hash: c0ec07988811fcac4f8c861b5ed35e0bc972d557a805f26fd8407dfc7d808024
                                            • Instruction Fuzzy Hash: 73419071E002199BEB12CF69CC80AEEB7F4FF58315F16816AE550BB290D7359941CF94
                                            Function 0101854A Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • IsDebuggerPresent.KERNEL32 ref: 0101A5EF
                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0101A604
                                            • UnhandledExceptionFilter.KERNEL32(01040A28), ref: 0101A60F
                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 0101A62B
                                            • TerminateProcess.KERNEL32(00000000), ref: 0101A632
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                            • String ID:
                                            • API String ID: 2579439406-0
                                            • Opcode ID: f814bb271e7e71fbbf43057beb32e1cf87236fb67e98e43f7696b847e0adf574
                                            • Instruction ID: 7d8d16bca46f018e7de7e0047f06bbec4aac0fb1f894742163aeb5f9f8071195
                                            • Opcode Fuzzy Hash: f814bb271e7e71fbbf43057beb32e1cf87236fb67e98e43f7696b847e0adf574
                                            • Instruction Fuzzy Hash: A021FFFC902345DFD731DFA8E6C4A443BA0FB49310F50889AE89987759E37E5A848F45
                                            Function 0102851E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 76timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetTimeZoneInformation.KERNEL32(?,01041F04,?), ref: 01028573
                                            • SystemTimeToTzSpecificLocalTime.KERNEL32(?,?,?), ref: 01028585
                                            Strings
                                            • %04hu-%02hu-%02huT%02hu:%02hu:%02huZ, xrefs: 0102855C
                                            • %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u, xrefs: 010285CD
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Time$InformationLocalSpecificSystemZone
                                            • String ID: %04hu-%02hu-%02huT%02hu:%02hu:%02hu%c%02u:%02u$%04hu-%02hu-%02huT%02hu:%02hu:%02huZ
                                            • API String ID: 1772835396-395410266
                                            • Opcode ID: 5d94363e4e95d9774050af91a0d1c20704a0fed340488f70b60bcb7a7d596ac2
                                            • Instruction ID: 5d00cdafcbcc3e32076ab471e84e3a70321a31abb6c3c02f94530f177d1e1d60
                                            • Opcode Fuzzy Hash: 5d94363e4e95d9774050af91a0d1c20704a0fed340488f70b60bcb7a7d596ac2
                                            • Instruction Fuzzy Hash: E721ECA6901128EAD760DF99CC45EBBB3FCAB5C601F00855AF985D2180E73CDA80DB71
                                            Function 010086E7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 51COMMON
                                            Download Yara Rule
                                            Strings
                                            • Failed to copy working folder., xrefs: 01008742
                                            • Failed to calculate working folder to ensure it exists., xrefs: 01008704
                                            • Failed create working folder., xrefs: 0100871A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastPathTemp_memset
                                            • String ID: Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.
                                            • API String ID: 623060366-2072961686
                                            • Opcode ID: 35fb1f3b9def2812d97764bd4b8f2c1fe9dcc9f0acc56a93fa9191c03ca05ec9
                                            • Instruction ID: 522cdaee1c650921f1e03f67261b1b75f6f5fa4b5abffeb119d71318695d0fdb
                                            • Opcode Fuzzy Hash: 35fb1f3b9def2812d97764bd4b8f2c1fe9dcc9f0acc56a93fa9191c03ca05ec9
                                            • Instruction Fuzzy Hash: 1F018472D00229FFDB237E959CC48DDB7B8FB402A4B60856BF5C576054D7719E109750
                                            Function 0100EDC2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • ChangeServiceConfigW.ADVAPI32(?,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,0100EFF9,?), ref: 0100EDDC
                                            • GetLastError.KERNEL32(?,0100EFF9,?,00000003,?,?), ref: 0100EDE6
                                            Strings
                                            • msuengine.cpp, xrefs: 0100EE0B
                                            • Failed to set service start type., xrefs: 0100EE15
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ChangeConfigErrorLastService
                                            • String ID: Failed to set service start type.$msuengine.cpp
                                            • API String ID: 1456623077-1628545019
                                            • Opcode ID: c0d131f3d01f598098c1351c443c7d8e098dec438b87d2b328f7649fd542b914
                                            • Instruction ID: 2391a5db08433c6f1437fe1d469642341142f50af6d5ecf6bab72f2be21b138c
                                            • Opcode Fuzzy Hash: c0d131f3d01f598098c1351c443c7d8e098dec438b87d2b328f7649fd542b914
                                            • Instruction Fuzzy Hash: 7FF0A73224413A76D732295BEC08DAB3F5DDBC1B70B310639F6B9EA1D4D929881182A4
                                            Function 01026B28 Relevance: 3.1, APIs: 2, Instructions: 57memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01026AAB: RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,01026B57,?), ref: 01026B19
                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 01026B7B
                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 01026B8C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AllocateCheckCloseInitializeMembershipToken
                                            • String ID:
                                            • API String ID: 2114926846-0
                                            • Opcode ID: c20f222e6b8c595c579bf6647291811c063409bc9b3670bf6bf7781f38626bfb
                                            • Instruction ID: 7d14f6984bb231c160ecb5677bf1dcfcab6386deddef638f3cbaaea56a4fb517
                                            • Opcode Fuzzy Hash: c20f222e6b8c595c579bf6647291811c063409bc9b3670bf6bf7781f38626bfb
                                            • Instruction Fuzzy Hash: E3111EB190122AEFDF11DFE4CC84AAEBBF8FF18304F50486EE681A6141D7759A40CB50
                                            Function 010190E2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetUnhandledExceptionFilter.KERNEL32(Function_000290A0), ref: 010190E7
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ExceptionFilterUnhandled
                                            • String ID:
                                            • API String ID: 3192549508-0
                                            • Opcode ID: 38566fb1926c4073e506d6462dd69380ef2ed2a1cf099529864aa4079b51a2eb
                                            • Instruction ID: dcddd1745bba32689247a5659358ef54ff6538e7d5a0b8ac77245abe28c675b3
                                            • Opcode Fuzzy Hash: 38566fb1926c4073e506d6462dd69380ef2ed2a1cf099529864aa4079b51a2eb
                                            • Instruction Fuzzy Hash: 9990027025120C4A46616B71585D50936A0AF4960A7A18854F481C900DDA6A50009651
                                            Function 0100A48D Relevance: 79.1, APIs: 7, Strings: 38, Instructions: 365COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: StringVariant$AllocClearFreeInit
                                            • String ID: AsyncInstall$AsyncRepair$AsyncUninstall$Code$DetectCondition$ExitCode$Failed to allocate memory for exit code structs.$Failed to convert @Code value: %ls$Failed to get @AsyncInstall.$Failed to get @AsyncRepair.$Failed to get @AsyncUninstall.$Failed to get @Code.$Failed to get @DetectCondition.$Failed to get @InstallArguments.$Failed to get @Protocol.$Failed to get @RepairArguments.$Failed to get @Repairable.$Failed to get @Type.$Failed to get @UninstallArguments.$Failed to get exit code node count.$Failed to get next node.$Failed to parse @Code value: %ls$Failed to select exit code nodes.$InstallArguments$Invalid exit code type: %ls$Protocol$RepairArguments$Repairable$Type$UninstallArguments$burn$error$exeengine.cpp$forceReboot$netfx4$none$scheduleReboot$success
                                            • API String ID: 760788290-4137368201
                                            • Opcode ID: 30ab720f37b3117046643326bde72d3ea6749f0319f0cd57c9669dce077fbf5e
                                            • Instruction ID: 40a4a521945ef8f48952aa14eae9fbe12a024a45880f49a9a0b2c958014c8e06
                                            • Opcode Fuzzy Hash: 30ab720f37b3117046643326bde72d3ea6749f0319f0cd57c9669dce077fbf5e
                                            • Instruction Fuzzy Hash: 65C1C071B40326FAEB139AA4CC41FEE7BB8AB44724F104165F985AF2C1D7B19A41C790
                                            Function 00FF4D79 Relevance: 75.6, APIs: 3, Strings: 40, Instructions: 363COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01025A1A: VariantInit.OLEAUT32(?), ref: 01025A30
                                              • Part of subcall function 01025A1A: SysAllocString.OLEAUT32(?), ref: 01025A4C
                                              • Part of subcall function 01025A1A: VariantClear.OLEAUT32(?), ref: 01025AD3
                                              • Part of subcall function 01025A1A: SysFreeString.OLEAUT32(00000000), ref: 01025ADE
                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000001,Packaging,00000000,00000001,FilePath,?,00000001,0102CBE0,?,00000000), ref: 00FF4EA5
                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,embedded,000000FF), ref: 00FF4EC5
                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,external,000000FF), ref: 00FF4EE3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: String$Compare$Variant$AllocClearFreeInit
                                            • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$X$download$embedded$external$payload.cpp
                                            • API String ID: 937563602-2914604125
                                            • Opcode ID: fa149808b7dc33aa70acd72b4b17c151d4690286b9585cef954df88856217a45
                                            • Instruction ID: ef9ba0632ee34ce4d46fb8737d0760532840cc988f593a9f1ddede7326b185fe
                                            • Opcode Fuzzy Hash: fa149808b7dc33aa70acd72b4b17c151d4690286b9585cef954df88856217a45
                                            • Instruction Fuzzy Hash: A1C1B332D40A3EBFCB219A90CD41FBEB765AF14B20F214255EB55BB1A0D771BE01A790
                                            Function 0100A8F2 Relevance: 67.0, APIs: 11, Strings: 27, Instructions: 461COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0100A947
                                            • _memset.LIBCMT ref: 0100A980
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,01013E1D), ref: 0100AF75
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,00000000,?,01013E1D), ref: 0100AF8B
                                            Strings
                                            • Failed to format argument string., xrefs: 0100AA78
                                            • Failed to CreateProcess on path: %ls, xrefs: 0100ADD3
                                            • %ls -%ls=%ls, xrefs: 0100AB57, 0100AB72, 0100ABAA, 0100ABDA, 0100AC05
                                            • Process returned error: 0x%x, xrefs: 0100AE7F
                                            • "%ls" %s, xrefs: 0100AA91, 0100AAEA
                                            • Failed to get cached path for package: %ls, xrefs: 0100A9C6
                                            • 2, xrefs: 0100AE12
                                            • Failed to create obfuscated executable command., xrefs: 0100AB3A
                                            • Failed to append the list of ancestors to the command line., xrefs: 0100ABEA
                                            • Failed to get bundle element., xrefs: 0100AB60
                                            • "%ls", xrefs: 0100AB06, 0100AB26
                                            • Failed to append the list of dependencies to ignore to the command line., xrefs: 0100AB82
                                            • Failed to format obfuscated argument string., xrefs: 0100AACE
                                            • burn.ancestors, xrefs: 0100ABC9, 0100ABFA
                                            • Failed to run netfx chainer: %ls, xrefs: 0100AD34
                                            • Failed to build executable path., xrefs: 0100A9FC
                                            • exeengine.cpp, xrefs: 0100ADC3, 0100AE6F, 0100AEA3
                                            • Failed to append the list of ancestors to the obfuscated command line., xrefs: 0100AC15
                                            • Failed to wait for executable to complete: %ls, xrefs: 0100AEC2
                                            • Bootstrapper application aborted during EXE progress., xrefs: 0100AEAD
                                            • D, xrefs: 0100AD84
                                            • Failed to append the list of dependencies to ignore to the obfuscated command line., xrefs: 0100ABBA
                                            • Failed to create executable command., xrefs: 0100AAA5
                                            • Failed to get action arguments for executable package., xrefs: 0100AA21
                                            • Failed to run bundle asynchronously from path: %ls, xrefs: 0100ACE6
                                            • Failed to run bundle as embedded from path: %ls, xrefs: 0100AC9F
                                            • burn.ignoredependencies, xrefs: 0100AB61, 0100AB9F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle_memset
                                            • String ID: "%ls"$"%ls" %s$%ls -%ls=%ls$2$Bootstrapper application aborted during EXE progress.$D$Failed to CreateProcess on path: %ls$Failed to append the list of ancestors to the command line.$Failed to append the list of ancestors to the obfuscated command line.$Failed to append the list of dependencies to ignore to the command line.$Failed to append the list of dependencies to ignore to the obfuscated command line.$Failed to build executable path.$Failed to create executable command.$Failed to create obfuscated executable command.$Failed to format argument string.$Failed to format obfuscated argument string.$Failed to get action arguments for executable package.$Failed to get bundle element.$Failed to get cached path for package: %ls$Failed to run bundle as embedded from path: %ls$Failed to run bundle asynchronously from path: %ls$Failed to run netfx chainer: %ls$Failed to wait for executable to complete: %ls$Process returned error: 0x%x$burn.ancestors$burn.ignoredependencies$exeengine.cpp
                                            • API String ID: 900656945-2335447641
                                            • Opcode ID: 102c0154e0b586b74e2e3b872d2cf435d1cbcdb0276dd3f2b13f5a2bcd3ffe92
                                            • Instruction ID: 0ddcb5702a838dd63a1078fa938403d4c4c71e1c9e245c05a6fa650db5891ecb
                                            • Opcode Fuzzy Hash: 102c0154e0b586b74e2e3b872d2cf435d1cbcdb0276dd3f2b13f5a2bcd3ffe92
                                            • Instruction Fuzzy Hash: 24029271A4032EEFDF22AE54CC88EEDB7B9AB54304F1404E9E189A7191DB759EC18F11
                                            Function 0100F058 Relevance: 58.1, APIs: 8, Strings: 25, Instructions: 378processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0100F088
                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,01000DF6,00000007,?,?,Function_0000F685,?,?), ref: 0100F0B1
                                              • Part of subcall function 0102057A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00FF9127,00000000), ref: 0102058E
                                              • Part of subcall function 0102057A: GetProcAddress.KERNEL32(00000000), ref: 01020595
                                              • Part of subcall function 0102057A: GetLastError.KERNEL32(?,?,00FF9127,00000000), ref: 010205AC
                                            • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?), ref: 0100F2E4
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?,00000000), ref: 0100F2EE
                                            • GetExitCodeProcess.KERNEL32(?,?), ref: 0100F37B
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?,00000000), ref: 0100F385
                                            • CloseHandle.KERNEL32(?,?,000001F4,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?), ref: 0100F497
                                            • CloseHandle.KERNEL32(?,?,000001F4,?,?,?,?,?,?,?,?,?,wusa.exe,?,00000025,?), ref: 0100F4A4
                                            Strings
                                            • Failed to CreateProcess on path: %ls, xrefs: 0100F320
                                            • Failed to get cached path for package: %ls, xrefs: 0100F185
                                            • D, xrefs: 0100F2D7
                                            • Failed to format MSU uninstall command., xrefs: 0100F206
                                            • Failed to build MSU path., xrefs: 0100F1B5
                                            • Failed to append log path to MSU command-line., xrefs: 0100F248
                                            • 2, xrefs: 0100F343
                                            • Failed to find Windows directory., xrefs: 0100F0E3
                                            • SysNative\, xrefs: 0100F0F1
                                            • Failed to format MSU install command., xrefs: 0100F1DC
                                            • msuengine.cpp, xrefs: 0100F313, 0100F3AA, 0100F3D1
                                            • Failed to wait for executable to complete: %ls, xrefs: 0100F3E8
                                            • "%ls" "%ls" /quiet /norestart, xrefs: 0100F1C8
                                            • Failed to get action arguments for MSU package., xrefs: 0100F15F
                                            • Failed to allocate WUSA.exe path., xrefs: 0100F140
                                            • "%ls" /uninstall /kb:%ls /quiet /norestart, xrefs: 0100F1F2
                                            • Bootstrapper application aborted during MSU progress., xrefs: 0100F3DB
                                            • Failed to determine WOW64 status., xrefs: 0100F0C3
                                            • Failed to find System32 directory., xrefs: 0100F11F
                                            • wusa.exe, xrefs: 0100F12D
                                            • Failed to append SysNative directory., xrefs: 0100F104
                                            • Failed to append log switch to MSU command-line., xrefs: 0100F22E
                                            • Failed to get process exit code., xrefs: 0100F3B4
                                            • Failed to ensure WU service was enabled to install MSU package., xrefs: 0100F2AD
                                            • /log:, xrefs: 0100F21A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHandleLastProcess$Close$AddressCodeCreateCurrentExitModuleProc_memset
                                            • String ID: /log:$"%ls" "%ls" /quiet /norestart$"%ls" /uninstall /kb:%ls /quiet /norestart$2$Bootstrapper application aborted during MSU progress.$D$Failed to CreateProcess on path: %ls$Failed to allocate WUSA.exe path.$Failed to append SysNative directory.$Failed to append log path to MSU command-line.$Failed to append log switch to MSU command-line.$Failed to build MSU path.$Failed to determine WOW64 status.$Failed to ensure WU service was enabled to install MSU package.$Failed to find System32 directory.$Failed to find Windows directory.$Failed to format MSU install command.$Failed to format MSU uninstall command.$Failed to get action arguments for MSU package.$Failed to get cached path for package: %ls$Failed to get process exit code.$Failed to wait for executable to complete: %ls$SysNative\$msuengine.cpp$wusa.exe
                                            • API String ID: 3952624013-2978926632
                                            • Opcode ID: f90f7bb93db8dc8223246ad77a0e8b220051c45669d6b040e101c37b5f7366f0
                                            • Instruction ID: a3cdfd89f2350ada10d028e1154aacd43f724168884ff88125e8999d2d1014e0
                                            • Opcode Fuzzy Hash: f90f7bb93db8dc8223246ad77a0e8b220051c45669d6b040e101c37b5f7366f0
                                            • Instruction Fuzzy Hash: E7C1F73294011BEFEF23AF94CC80DEEBBB9AF54710F554065F680AB194DB748A41AB91
                                            Function 00FFA0CB Relevance: 58.1, APIs: 5, Strings: 28, Instructions: 307COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,00000000,?,80070490,?,?,?,?,?,?,?,?,01014077,?,?,?), ref: 00FFA0FA
                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,01014077,?,?,?,?,?,Chain), ref: 00FFA410
                                            Strings
                                            • Persisted, xrefs: 00FFA1A1
                                            • Invalid value for @Type: %ls, xrefs: 00FFA382
                                            • Value, xrefs: 00FFA1BC
                                            • Failed to change variant type., xrefs: 00FFA3D9
                                            • Failed to set value of variable: %ls, xrefs: 00FFA3FF
                                            • Initializing version variable '%ls' to value '%ls', xrefs: 00FFA29A
                                            • Failed to insert variable '%ls'., xrefs: 00FFA3F5
                                            • Attempt to set built-in variable value: %ls, xrefs: 00FFA3A1
                                            • string, xrefs: 00FFA247
                                            • Failed to get @Value., xrefs: 00FFA3C4
                                            • Type, xrefs: 00FFA1FA
                                            • version, xrefs: 00FFA278
                                            • Failed to get @Hidden., xrefs: 00FFA3B6
                                            • Initializing numeric variable '%ls' to value '%ls', xrefs: 00FFA233
                                            • Hidden, xrefs: 00FFA186
                                            • Initializing hidden variable '%ls', xrefs: 00FFA2B7
                                            • Failed to get @Id., xrefs: 00FFA3AF
                                            • numeric, xrefs: 00FFA215
                                            • Failed to select variable nodes., xrefs: 00FFA117
                                            • Initializing string variable '%ls' to value '%ls', xrefs: 00FFA265
                                            • Variable, xrefs: 00FFA104
                                            • Failed to get next node., xrefs: 00FFA3A8
                                            • Failed to set variant value., xrefs: 00FFA3CB
                                            • Failed to find variable value '%ls'., xrefs: 00FFA3EB
                                            • variable.cpp, xrefs: 00FFA394
                                            • Failed to get variable node count., xrefs: 00FFA134
                                            • Failed to get @Persisted., xrefs: 00FFA3BD
                                            • Failed to get @Type., xrefs: 00FFA3D2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$numeric$string$variable.cpp$version
                                            • API String ID: 3168844106-1657652604
                                            • Opcode ID: 3a050f617a36bf772ecfcd40c1353db9e2e079bbcd34fbca5e7df0567bcb1d85
                                            • Instruction ID: 6671b98e5f9d435d7658f74df29a4c5f1cb2d9fbf952c9abe14796b7c61bee56
                                            • Opcode Fuzzy Hash: 3a050f617a36bf772ecfcd40c1353db9e2e079bbcd34fbca5e7df0567bcb1d85
                                            • Instruction Fuzzy Hash: 5CA16DB2D4022EFBCB10AFD0CC85DBEBB79AF14350B104169F659BB124D2765E41AB92
                                            Function 01015363 Relevance: 51.0, APIs: 13, Strings: 16, Instructions: 294COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 010153BE
                                            • UuidCreate.RPCRT4(?), ref: 010153D6
                                            • StringFromGUID2.OLE32(?,?,00000027), ref: 010153F7
                                            • CloseHandle.KERNEL32(?,NetFxChainer.cpp,000001A8,00000000,?,?,?,?), ref: 010156F9
                                            • CloseHandle.KERNEL32(?,NetFxChainer.cpp,000001A8,00000000,?,?,?,?), ref: 0101570F
                                            Strings
                                            • Failed to process netfx chainer message., xrefs: 01015570
                                            • Failed to wait for netfx chainer process to complete, xrefs: 010156A8
                                            • Failed to allocate section name., xrefs: 0101543D
                                            • Failed to get netfx return code., xrefs: 0101561F
                                            • Failed to CreateProcess on path: %ls, xrefs: 0101551C
                                            • %ls /pipe %ls, xrefs: 0101549D
                                            • Failed to send internal error message from netfx chainer., xrefs: 01015672
                                            • Failed to create netfx chainer., xrefs: 01015481
                                            • Failed to allocate event name., xrefs: 01015462
                                            • Failed to convert netfx chainer guid into string., xrefs: 01015416
                                            • NetFxChainer.cpp, xrefs: 0101540C, 0101550F, 01015615, 0101569E
                                            • NetFxSection.%ls, xrefs: 01015427
                                            • Failed to create netfx chainer guid., xrefs: 010153E3
                                            • D, xrefs: 010154D3
                                            • NetFxEvent.%ls, xrefs: 0101544E
                                            • Failed to allocate netfx chainer arguments., xrefs: 010154B1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$CreateFromStringUuid_memset
                                            • String ID: %ls /pipe %ls$D$Failed to CreateProcess on path: %ls$Failed to allocate event name.$Failed to allocate netfx chainer arguments.$Failed to allocate section name.$Failed to convert netfx chainer guid into string.$Failed to create netfx chainer guid.$Failed to create netfx chainer.$Failed to get netfx return code.$Failed to process netfx chainer message.$Failed to send internal error message from netfx chainer.$Failed to wait for netfx chainer process to complete$NetFxChainer.cpp$NetFxEvent.%ls$NetFxSection.%ls
                                            • API String ID: 2223292257-4284037740
                                            • Opcode ID: bdfdafdb04e2357e9c6dceddfffc3977fdd7b883973ba7221ffd1e5517caad17
                                            • Instruction ID: 5a4ce8d8009f7adaa81d74ee4069b63da3cf7c6ec5b0bb4216d074b327fb0da7
                                            • Opcode Fuzzy Hash: bdfdafdb04e2357e9c6dceddfffc3977fdd7b883973ba7221ffd1e5517caad17
                                            • Instruction Fuzzy Hash: C7A1C231A40319AFDB219FA4CC84BDEBBF9BF89700F204569E689EB105E77999408F51
                                            Function 00FF79A7 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 313registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF79E4
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF7A0A
                                            • RegCloseKey.ADVAPI32(00FF8B48,?,00000000,?,00000000,?,?,?,?,00000000), ref: 00FF7D0F
                                            Strings
                                            • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 00FF7CDC
                                            • Failed to query registry key value size., xrefs: 00FF7AEF
                                            • Failed to format key string., xrefs: 00FF79EF
                                            • Failed to get expand environment string., xrefs: 00FF7C75
                                            • Unsupported registry key value type. Type = '%u', xrefs: 00FF7B9B
                                            • Failed to read registry value., xrefs: 00FF7C90
                                            • Failed to change value type., xrefs: 00FF7CA9
                                            • Registry key not found. Key = '%ls'; variable = '%ls', xrefs: 00FF7A3F
                                            • Failed to allocate string buffer., xrefs: 00FF7C00
                                            • Failed to allocate memory registry value., xrefs: 00FF7B23
                                            • Failed to open registry key., xrefs: 00FF7A7A
                                            • search.cpp, xrefs: 00FF7AE5, 00FF7B19, 00FF7B69, 00FF7C6B
                                            • Failed to format value string., xrefs: 00FF7A15
                                            • Failed to set variable., xrefs: 00FF7CC7
                                            • Failed to query registry key value., xrefs: 00FF7B73
                                            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00FF7AAB
                                            • Failed to clear variable., xrefs: 00FF7A65
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Open@16$Close
                                            • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'; variable = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$search.cpp
                                            • API String ID: 2348241696-822975546
                                            • Opcode ID: f02d682db8004970a85cb7a11058fccdeb2d506f3d7cb9f02656e8971013a287
                                            • Instruction ID: 8b9d9948d476e09ec98499a194beaa9acbd5d7196a2305f2d1a8a621effd4e3d
                                            • Opcode Fuzzy Hash: f02d682db8004970a85cb7a11058fccdeb2d506f3d7cb9f02656e8971013a287
                                            • Instruction Fuzzy Hash: ECA1A432D4432FBADF22AAA4CD01EFEFA74AF14750F154165EB40BA274D675DE00AB90
                                            Function 00FF2BC3 Relevance: 44.0, APIs: 17, Strings: 8, Instructions: 232filepipesleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(CAE5E856,00000000,00FF130D,80070642,?,00FFBD45,00FF130D,?,75C0B390,?,?,00FF130D), ref: 00FF2BE4
                                            • GetCurrentProcessId.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?,?,00FF130D), ref: 00FF2BEF
                                            • SetNamedPipeHandleState.KERNEL32(?,?,00000000,00000000,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2C2B
                                            • ConnectNamedPipe.KERNEL32(?,00000000,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2C46
                                            • GetLastError.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2C50
                                            • Sleep.KERNEL32(00000064,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2C7B
                                            • SetNamedPipeHandleState.KERNEL32(?,00000001,00000000,00000000,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2CB3
                                            • WriteFile.KERNEL32(?,?,00000004,000000FF,00000000,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2CD4
                                            • WriteFile.KERNEL32(?,75C0B390,?,000000FF,00000000,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2CF5
                                            • WriteFile.KERNEL32(?,?,00000004,000000FF,00000000,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2D16
                                            • ReadFile.KERNEL32(?,00FF130D,00000004,000000FF,00000000,?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2D37
                                            • GetLastError.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2D76
                                            • GetLastError.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2DA9
                                            • GetLastError.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2DDC
                                            • GetLastError.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2E0F
                                            • GetLastError.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2E3F
                                            • GetLastError.KERNEL32(?,00FFBD45,00FF130D,?,75C0B390,?), ref: 00FF2E6F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                            • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$pipe.cpp
                                            • API String ID: 2944378912-2009266399
                                            • Opcode ID: 09798124941910898f8fd59715094eeebaf77a39dc457cdf3b69de47f8fbffb7
                                            • Instruction ID: ff60761595cf409fb00538e0e020d883dc690935c98acbf3fe0269994c321cd8
                                            • Opcode Fuzzy Hash: 09798124941910898f8fd59715094eeebaf77a39dc457cdf3b69de47f8fbffb7
                                            • Instruction Fuzzy Hash: AB71D732E4022AABD7709E99CC4AFFE7BE8AF04750F244065FE41EA160D775CD009BA5
                                            Function 0101A03B Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 109libraryloadermemoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,010183D7), ref: 0101A043
                                            • __mtterm.LIBCMT ref: 0101A04F
                                              • Part of subcall function 01019D88: DecodePointer.KERNEL32(00000005,0101A1B1,?,010183D7), ref: 01019D99
                                              • Part of subcall function 01019D88: TlsFree.KERNEL32(00000011,0101A1B1,?,010183D7), ref: 01019DB3
                                              • Part of subcall function 01019D88: DeleteCriticalSection.KERNEL32(00000000,00000000,76EF5810,?,0101A1B1,?,010183D7), ref: 0101BD38
                                              • Part of subcall function 01019D88: _free.LIBCMT ref: 0101BD3B
                                              • Part of subcall function 01019D88: DeleteCriticalSection.KERNEL32(00000011,76EF5810,?,0101A1B1,?,010183D7), ref: 0101BD62
                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0101A065
                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0101A072
                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0101A07F
                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0101A08C
                                            • TlsAlloc.KERNEL32(?,010183D7), ref: 0101A0DC
                                            • TlsSetValue.KERNEL32(00000000,?,010183D7), ref: 0101A0F7
                                            • __init_pointers.LIBCMT ref: 0101A101
                                            • EncodePointer.KERNEL32(?,010183D7), ref: 0101A112
                                            • EncodePointer.KERNEL32(?,010183D7), ref: 0101A11F
                                            • EncodePointer.KERNEL32(?,010183D7), ref: 0101A12C
                                            • EncodePointer.KERNEL32(?,010183D7), ref: 0101A139
                                            • DecodePointer.KERNEL32(01019F0C,?,010183D7), ref: 0101A15A
                                            • __calloc_crt.LIBCMT ref: 0101A16F
                                            • DecodePointer.KERNEL32(00000000,?,010183D7), ref: 0101A189
                                            • GetCurrentThreadId.KERNEL32 ref: 0101A19B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL$PNv
                                            • API String ID: 3698121176-2259100434
                                            • Opcode ID: 1ff99cbc958aab7db25bfdaf88d34805895c8aaca8da6ee046b908e799df90a7
                                            • Instruction ID: bfb78c1486372d06ec0db5bb8274d04b16ad315bcf608afb6117ebfe6b6d50b7
                                            • Opcode Fuzzy Hash: 1ff99cbc958aab7db25bfdaf88d34805895c8aaca8da6ee046b908e799df90a7
                                            • Instruction Fuzzy Hash: 0D319CB8A813559FE731AF79AE88A5A3FE4EB54360B24052EE5D4D315CDB3E8040DF90
                                            Function 01015098 Relevance: 40.5, APIs: 12, Strings: 11, Instructions: 232synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • CreateEventW.KERNEL32(00000000,00000000,00000000,?,00000018,00000001,00000000,00000000,00000000,?,?,0101547B,?,?,?), ref: 010150D6
                                            • GetLastError.KERNEL32(?,?,0101547B,?,?,?), ref: 010150E3
                                            • ReleaseMutex.KERNEL32(?), ref: 0101534F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateCreateErrorEventLastMutexProcessRelease
                                            • String ID: %ls_mutex$%ls_send$Failed to MapViewOfFile for %ls.$Failed to allocate memory for NetFxChainer struct.$Failed to create event: %ls$Failed to create mutex: %ls$Failed to memory map cabinet file: %ls$NetFxChainer.cpp$failed to allocate memory for event name$failed to allocate memory for mutex name$failed to copy event name to shared memory structure.
                                            • API String ID: 3944734951-2991465304
                                            • Opcode ID: 370b52d2b7c108309768c3a91dbe4941b4ac7186af07d2f2d824160455a6b07d
                                            • Instruction ID: 4b2886b6378fe136928f445fe2f0cf4a12f652a3e1a2bbb386ecbc7fe99e4456
                                            • Opcode Fuzzy Hash: 370b52d2b7c108309768c3a91dbe4941b4ac7186af07d2f2d824160455a6b07d
                                            • Instruction Fuzzy Hash: BB7106B2640306EFC7315F64CC89EAD3BA5AB96310F24497CF6D59F244D67D98448721
                                            Function 01014677 Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 337COMMON
                                            Download Yara Rule
                                            Strings
                                            • Failed to copy display name for pseudo bundle., xrefs: 01014A49
                                            • Failed to append relation type to uninstall arguments for related bundle package, xrefs: 0101497B
                                            • Failed to copy install arguments for related bundle package, xrefs: 010148C0
                                            • Failed to copy key for pseudo bundle., xrefs: 01014881
                                            • Failed to copy download source for pseudo bundle., xrefs: 010147AF
                                            • Failed to copy filename for pseudo bundle., xrefs: 0101475E
                                            • Failed to copy local source path for pseudo bundle., xrefs: 01014781
                                            • Failed to allocate memory for dependency providers., xrefs: 010149E2
                                            • pseudobundle.cpp, xrefs: 010146BC, 010146EF, 010147E5, 010149D8
                                            • Failed to copy key for pseudo bundle payload., xrefs: 0101473B
                                            • Failed to allocate memory for pseudo bundle payload hash., xrefs: 010147EF
                                            • Failed to append relation type to install arguments for related bundle package, xrefs: 010148E1
                                            • Failed to copy repair arguments for related bundle package, xrefs: 01014908
                                            • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 010146F9
                                            • Failed to allocate space for burn package payload inside of related bundle struct, xrefs: 010146C6
                                            • -%ls, xrefs: 0101468F
                                            • Failed to copy uninstall arguments for related bundle package, xrefs: 0101495A
                                            • Failed to append relation type to repair arguments for related bundle package, xrefs: 01014929
                                            • Failed to copy cache id for pseudo bundle., xrefs: 0101489F
                                            • Failed to copy version for pseudo bundle., xrefs: 01014A28
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateProcess
                                            • String ID: -%ls$Failed to allocate memory for dependency providers.$Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of related bundle struct$Failed to allocate space for burn payload inside of related bundle struct$Failed to append relation type to install arguments for related bundle package$Failed to append relation type to repair arguments for related bundle package$Failed to append relation type to uninstall arguments for related bundle package$Failed to copy cache id for pseudo bundle.$Failed to copy display name for pseudo bundle.$Failed to copy download source for pseudo bundle.$Failed to copy filename for pseudo bundle.$Failed to copy install arguments for related bundle package$Failed to copy key for pseudo bundle payload.$Failed to copy key for pseudo bundle.$Failed to copy local source path for pseudo bundle.$Failed to copy repair arguments for related bundle package$Failed to copy uninstall arguments for related bundle package$Failed to copy version for pseudo bundle.$pseudobundle.cpp
                                            • API String ID: 1357844191-2832335422
                                            • Opcode ID: 4c06ab8db6d2925f2ffd00d4f541c5b9b3f78377cc3cae59486370ecd77d439d
                                            • Instruction ID: 610470b76dc71602bf2d13f46361d92a03de7af35781cdafed83497ab7bccf11
                                            • Opcode Fuzzy Hash: 4c06ab8db6d2925f2ffd00d4f541c5b9b3f78377cc3cae59486370ecd77d439d
                                            • Instruction Fuzzy Hash: A8C1CF36640742EFDB22DE69CC40F9A76E9BF84310F154519FAD9DB265DBB9E400CB10
                                            Function 0100E0ED Relevance: 37.1, APIs: 1, Strings: 20, Instructions: 320COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to get cached path for MSP package: %ls, xrefs: 0100E29E
                                            • Failed to add reboot suppression property on uninstall., xrefs: 0100E461
                                            • Failed to semi-colon delimit patches., xrefs: 0100E2C5
                                            • IGNOREDEPENDENCIES, xrefs: 0100E468
                                            • Failed to uninstall MSP package., xrefs: 0100E4B5
                                            • Failed to add PATCH property on install., xrefs: 0100E3D1
                                            • " REBOOT=ReallySuppress, xrefs: 0100E3FF
                                            • Failed to add properties to obfuscated argument string., xrefs: 0100E36D
                                            • Failed to add reboot suppression property on install., xrefs: 0100E416
                                            • REBOOT=ReallySuppress, xrefs: 0100E44A
                                            • Failed to build MSP path., xrefs: 0100E2B3
                                            • Failed to install MSP package., xrefs: 0100E442
                                            • PATCH=", xrefs: 0100E3BA
                                            • Failed to append patch., xrefs: 0100E2CC
                                            • Failed to add patches to PATCH property on install., xrefs: 0100E3F4
                                            • Failed to initialize external UI handler., xrefs: 0100E1C0
                                            • %ls %ls=ALL, xrefs: 0100E479
                                            • Failed to enable logging for package: %ls to: %ls, xrefs: 0100E2F9
                                            • Failed to add the list of dependencies to ignore to the properties., xrefs: 0100E48D
                                            • Failed to add properties to argument string., xrefs: 0100E337
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: PATCH="$ REBOOT=ReallySuppress$" REBOOT=ReallySuppress$%ls %ls=ALL$Failed to add PATCH property on install.$Failed to add patches to PATCH property on install.$Failed to add properties to argument string.$Failed to add properties to obfuscated argument string.$Failed to add reboot suppression property on install.$Failed to add reboot suppression property on uninstall.$Failed to add the list of dependencies to ignore to the properties.$Failed to append patch.$Failed to build MSP path.$Failed to enable logging for package: %ls to: %ls$Failed to get cached path for MSP package: %ls$Failed to initialize external UI handler.$Failed to install MSP package.$Failed to semi-colon delimit patches.$Failed to uninstall MSP package.$IGNOREDEPENDENCIES
                                            • API String ID: 2102423945-1976012679
                                            • Opcode ID: 87cdf614688f7a0877e64fd03178823770decab2375228bdf4bf414566d0c1e5
                                            • Instruction ID: 17e30e68f02751c767d33f514251f8bfda0c0155d99ed684ab8f951dd9b45042
                                            • Opcode Fuzzy Hash: 87cdf614688f7a0877e64fd03178823770decab2375228bdf4bf414566d0c1e5
                                            • Instruction Fuzzy Hash: F1C16771A00619DFEB229F95CC80ED9B7F6BB98300F1045E5E589B7191DB729AA0CF50
                                            Function 010067FB Relevance: 35.4, APIs: 8, Strings: 12, Instructions: 416COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetStringTypeW.KERNEL32(00000001,?,00000001,010075FF,?,?,00000000,?,?,?,?,010075FF,00000000,?,?), ref: 0100682E
                                            Strings
                                            • Failed to parse condition "%ls". Invalid version format, at position %d., xrefs: 01006A94
                                            • Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d., xrefs: 01006C2B
                                            • Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d., xrefs: 01006A35
                                            • Failed to parse condition "%ls". Unterminated literal at position %d., xrefs: 010068F7
                                            • Failed to set symbol value., xrefs: 01006B74
                                            • NOT, xrefs: 01006B30
                                            • condition.cpp, xrefs: 010068DD, 01006999, 01006A1B, 01006A7A, 01006BE2, 01006C11, 01006C62
                                            • AND, xrefs: 01006B10
                                            • Failed to parse condition "%ls". Unexpected character at position %d., xrefs: 010069B3
                                            • Failed to parse condition "%ls". Constant too big, at position %d., xrefs: 01006BFC
                                            • @, xrefs: 01006834
                                            • Failed to parse condition "%ls". Unexpected '~' operator at position %d., xrefs: 01006C7C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: StringType
                                            • String ID: @$AND$Failed to parse condition "%ls". Constant too big, at position %d.$Failed to parse condition "%ls". Identifier cannot start at a digit, at position %d.$Failed to parse condition "%ls". Invalid version format, at position %d.$Failed to parse condition "%ls". Unexpected '~' operator at position %d.$Failed to parse condition "%ls". Unexpected character at position %d.$Failed to parse condition "%ls". Unterminated literal at position %d.$Failed to parse condition "%ls". Version can have a maximum of 4 parts, at position %d.$Failed to set symbol value.$NOT$condition.cpp
                                            • API String ID: 4177115715-289295652
                                            • Opcode ID: 9ec95c52b3812700053d158fef5447b589bf8654fd60bc8a95aae4f7e81f0928
                                            • Instruction ID: 169f9b2cc94f8726757358a04cff4c045501dfc218116a512923ba48e48b3bc8
                                            • Opcode Fuzzy Hash: 9ec95c52b3812700053d158fef5447b589bf8654fd60bc8a95aae4f7e81f0928
                                            • Instruction Fuzzy Hash: 7CE1CFB1900709ABEB329F55C848FBEBBF6FB44700F10495EE1C25A5C1D7B6A2A4CB50
                                            Function 00FF5BC5 Relevance: 35.2, APIs: 4, Strings: 16, Instructions: 222COMMON
                                            Download Yara Rule
                                            Strings
                                            • Failed to get RelatedBundle nodes, xrefs: 00FF5BF5
                                            • Failed to resize Detect code array in registration, xrefs: 00FF5E11
                                            • Detect, xrefs: 00FF5C80
                                            • RelatedBundle, xrefs: 00FF5BD3
                                            • Failed to get @Id., xrefs: 00FF5E0A
                                            • Upgrade, xrefs: 00FF5CC8
                                            • Failed to get @Action., xrefs: 00FF5E03
                                            • Failed to resize Upgrade code array in registration, xrefs: 00FF5E18
                                            • Invalid value for @Action: %ls, xrefs: 00FF5DB0
                                            • Failed to get RelatedBundle element count., xrefs: 00FF5C12
                                            • Failed to resize Addon code array in registration, xrefs: 00FF5E1F
                                            • Addon, xrefs: 00FF5D10
                                            • Patch, xrefs: 00FF5D55
                                            • Action, xrefs: 00FF5C44
                                            • Failed to get next RelatedBundle element., xrefs: 00FF5DFC
                                            • Failed to resize Patch code array in registration, xrefs: 00FF5E26
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Action$Addon$Detect$Failed to get @Action.$Failed to get @Id.$Failed to get RelatedBundle element count.$Failed to get RelatedBundle nodes$Failed to get next RelatedBundle element.$Failed to resize Addon code array in registration$Failed to resize Detect code array in registration$Failed to resize Patch code array in registration$Failed to resize Upgrade code array in registration$Invalid value for @Action: %ls$Patch$RelatedBundle$Upgrade
                                            • API String ID: 0-3660206225
                                            • Opcode ID: 14e43eca0ce3b4d9b2e52ff6f8de611d15fd1c98fc02b020497d77e291536945
                                            • Instruction ID: 02ee27279cecd85ad1c52cc3bb25b9c08b27915cbd02187b1a8dc99e4cd37f05
                                            • Opcode Fuzzy Hash: 14e43eca0ce3b4d9b2e52ff6f8de611d15fd1c98fc02b020497d77e291536945
                                            • Instruction Fuzzy Hash: 70716371940B19BFD7219E94CC85FBE77B5EF44B54F204458E7826B290D671EA02EB10
                                            Function 00FFC344 Relevance: 33.6, APIs: 6, Strings: 13, Instructions: 354synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FFBB67: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00FFD9EF,?,00000000,75C0B390,?,00000000), ref: 00FFBB76
                                              • Part of subcall function 00FFBB67: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00FFBB83
                                              • Part of subcall function 00FFBB67: LeaveCriticalSection.KERNEL32(?,?,00FFD9EF,?,00000000,75C0B390,?,00000000), ref: 00FFBB98
                                            • ReleaseMutex.KERNEL32(?,00FF138B,00000000,?,00FF13BB,00000001,00000000), ref: 00FFC727
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00FF1303,?,?,00FF180F), ref: 00FFC730
                                            • CloseHandle.KERNEL32(?,00FF138B,00000000,?,00FF13BB,00000001,00000000), ref: 00FFC74F
                                              • Part of subcall function 010117E8: SetThreadExecutionState.KERNEL32(80000001), ref: 010117ED
                                            Strings
                                            • Failed to create cache thread., xrefs: 00FFC617
                                            • UX aborted apply begin., xrefs: 00FFC3F2
                                            • Failed to register bundle., xrefs: 00FFC548
                                            • Failed to cache engine to working directory., xrefs: 00FFC4C5
                                            • Another per-user setup is already executing., xrefs: 00FFC433
                                            • Another per-machine setup is already executing., xrefs: 00FFC523
                                            • Failed to elevate., xrefs: 00FFC4E9
                                            • Failed while caching, aborting execution., xrefs: 00FFC633
                                            • Failed to set initial apply variables., xrefs: 00FFC45D
                                            • Engine cannot start apply because it is busy with another action., xrefs: 00FFC3A2
                                            • Failed to send completion over the pipe., xrefs: 00FFC58F
                                            • core.cpp, xrefs: 00FFC3E8, 00FFC60D
                                            • Posted message to parent process to signal that the parent process can stop waiting, xrefs: 00FFC599
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCriticalHandleSection$CompareEnterExchangeExecutionInterlockedLeaveMutexReleaseStateThread
                                            • String ID: Another per-machine setup is already executing.$Another per-user setup is already executing.$Engine cannot start apply because it is busy with another action.$Failed to cache engine to working directory.$Failed to create cache thread.$Failed to elevate.$Failed to register bundle.$Failed to send completion over the pipe.$Failed to set initial apply variables.$Failed while caching, aborting execution.$Posted message to parent process to signal that the parent process can stop waiting$UX aborted apply begin.$core.cpp
                                            • API String ID: 1740103319-3198874528
                                            • Opcode ID: ff10793a5cf5201782b754273b84082a484047397f7de98e2882cf9df03ae5d3
                                            • Instruction ID: e27f5d97986e261be1914fed54a9ca1061de8674d1ca5eebddcaeae20e714e38
                                            • Opcode Fuzzy Hash: ff10793a5cf5201782b754273b84082a484047397f7de98e2882cf9df03ae5d3
                                            • Instruction Fuzzy Hash: 51C1937290021DEFCB20AFA0CD85AFE77B9BF44314F14442EE35AA6060DB356A45EB95
                                            Function 010158D5 Relevance: 33.4, APIs: 8, Strings: 11, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcessId.KERNEL32(00000000,01013ED5,00000000), ref: 010158E1
                                            • _memset.LIBCMT ref: 010158FC
                                            • CloseHandle.KERNEL32(0100ACD6,00000000,01015839,01015B2C,?,?,?,?,00000000,?,?,00000001,?), ref: 01015AA1
                                            • CloseHandle.KERNEL32(?,00000000,01015839,01015B2C,?,?,?,?,00000000,?,?,00000001,?), ref: 01015AAE
                                            • CloseHandle.KERNEL32(?,00000000,01015839,01015B2C,?,?,?,?,00000000,?,?,00000001,?), ref: 01015AC8
                                              • Part of subcall function 00FF35AD: ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGW0x00100000;;;WD),00000001,?,00000000), ref: 00FF35DA
                                              • Part of subcall function 00FF35AD: GetLastError.KERNEL32(00000000,00FF17A1,00FFBD45,00FF130D,?), ref: 00FF35E3
                                              • Part of subcall function 00FF35AD: LocalFree.KERNEL32(?,00FF130D), ref: 00FF3746
                                            Strings
                                            • Failed to create embedded pipe., xrefs: 0101597A
                                            • Failed to create embedded pipe name and client token., xrefs: 0101595C
                                            • Failed to wait for embedded executable: %ls, xrefs: 01015A85
                                            • Failed to allocate embedded command., xrefs: 010159A8
                                            • embedded.cpp, xrefs: 010159FC
                                            • Failed to create embedded process atpath: %ls, xrefs: 01015A09
                                            • %ls -%ls %ls %ls %u, xrefs: 01015994
                                            • Failed to process messages from embedded message., xrefs: 01015A56
                                            • burn.embedded.async, xrefs: 0101593A, 01015990
                                            • burn.embedded, xrefs: 01015944
                                            • Failed to wait for embedded process to connect to pipe., xrefs: 01015A34
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$DescriptorSecurity$ConvertCurrentErrorFreeLastLocalProcessString_memset
                                            • String ID: %ls -%ls %ls %ls %u$Failed to allocate embedded command.$Failed to create embedded pipe name and client token.$Failed to create embedded pipe.$Failed to create embedded process atpath: %ls$Failed to process messages from embedded message.$Failed to wait for embedded executable: %ls$Failed to wait for embedded process to connect to pipe.$burn.embedded$burn.embedded.async$embedded.cpp
                                            • API String ID: 1195026954-3691304899
                                            • Opcode ID: f7a819a52b9a2f934c921d2202bb88cffa26c39bb04b009d47bf4781503d6b9d
                                            • Instruction ID: e5dd8e13df948dda107e3b0adf06ade317fcd28426816460d28a7b6328fe6282
                                            • Opcode Fuzzy Hash: f7a819a52b9a2f934c921d2202bb88cffa26c39bb04b009d47bf4781503d6b9d
                                            • Instruction Fuzzy Hash: 5B51CE32D4032DBBCF12EEE4DC85DEEBBB8AF89710F504126F681AA114D6794A408B91
                                            Function 01007F13 Relevance: 31.7, APIs: 9, Strings: 9, Instructions: 206fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00FF130D,40000000,00000005,00000000,00000002,08000080,00000000,00000000,00000000,00000000,00FF130D,00FF179D,?,00FF1355,?,00000000), ref: 01007F52
                                            • GetLastError.KERNEL32(?,00FF130D,?,?,00FF180F,?,?,?,00FF1E12,?), ref: 01007F60
                                              • Part of subcall function 01025DFA: ReadFile.KERNEL32(?,?,?,?,00000000,00000000,75C0B390,00000000,?,01007FDD,?,?,?,00000000,00000000,?), ref: 01025E96
                                            • SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000000,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0100800F
                                            • GetLastError.KERNEL32(?,00FF130D,?,?,00FF180F,?,?,?,00FF1E12,?), ref: 01008019
                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00FF130D,?,?,00FF180F), ref: 01008153
                                            Strings
                                            • Failed to seek to original data in exe burn section header., xrefs: 01008128
                                            • cache.cpp, xrefs: 01007F85, 0100803E, 010080A9, 0100811E
                                            • Failed to update signature offset., xrefs: 01008066
                                            • Failed to zero out original data offset., xrefs: 01008143
                                            • Failed to seek to beginning of engine file: %ls, xrefs: 01007FBA
                                            • Failed to seek to signature table in exe header., xrefs: 010080B3
                                            • Failed to seek to checksum in exe header., xrefs: 01008048
                                            • Failed to copy engine from: %ls to: %ls, xrefs: 01007FE9
                                            • Failed to create engine file at path: %ls, xrefs: 01007F92
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                                            • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$cache.cpp
                                            • API String ID: 3456208997-3092846023
                                            • Opcode ID: 40159f02947ce4214d4aa9e569ca9eaa286c733f6eeebcf927bfab8c3f0beec5
                                            • Instruction ID: 9b78e739bf66cca9ac97c7c474de92fd342cf2403a2d710d5132cbd2d0712ce6
                                            • Opcode Fuzzy Hash: 40159f02947ce4214d4aa9e569ca9eaa286c733f6eeebcf927bfab8c3f0beec5
                                            • Instruction Fuzzy Hash: E751E472A00117BEE722AA64CC85EFF77BDFB84740F218439F281E6190E6369D018761
                                            Function 01006467 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 172windowregistryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01027A58: GdiplusStartup.GDIPLUS(?,?,?,00000000,?,010064BE,?,?,?), ref: 01027A65
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 01006506
                                            • RegisterClassW.USER32(?), ref: 0100651A
                                            • GetLastError.KERNEL32 ref: 01006525
                                            • CreateWindowExW.USER32(00000080,0103758C,?,90000000,?,?,?,?,00000000,00000000,?,?), ref: 0100658B
                                            • GetLastError.KERNEL32 ref: 01006598
                                            • SetEvent.KERNEL32(?), ref: 010065DB
                                            • IsDialogMessageW.USER32(?,?), ref: 010065F5
                                            • TranslateMessage.USER32(?), ref: 01006603
                                            • DispatchMessageW.USER32(?), ref: 0100660D
                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0100661A
                                            • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 01006640
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Message$ClassErrorLast$CreateCursorDialogDispatchEventGdiplusLoadRegisterStartupTranslateUnregisterWindow
                                            • String ID: Failed to create window.$Failed to initialize GDI+.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$splashscreen.cpp
                                            • API String ID: 515895837-4030304179
                                            • Opcode ID: d26d8f8a4644b71a59b61fc245f124a4371e9521b2059294c31267a3bb6f4d25
                                            • Instruction ID: 3afdf0f91332dad75f587821cb86337cf1cecac75b14cf5988b46aa6307f2bc7
                                            • Opcode Fuzzy Hash: d26d8f8a4644b71a59b61fc245f124a4371e9521b2059294c31267a3bb6f4d25
                                            • Instruction Fuzzy Hash: D5514BB1900229EFEB22DFE4CC449EDBBBAFF08710F204419F595EA184D7769A54CB90
                                            Function 010138F1 Relevance: 30.0, APIs: 4, Strings: 13, Instructions: 210threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForMultipleObjects.KERNEL32(00000001,?,00000000,000000FF,00000001,00000000,?,?,?,?,01013E1D,00000001,00000000,000000B9,00000000,?), ref: 0101394A
                                            • GetExitCodeThread.KERNEL32(?,00000001,?,?,?,?,01013E1D,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000), ref: 01013966
                                            • GetLastError.KERNEL32(?,?,?,?,01013E1D,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000,00000001,00000000), ref: 01013974
                                            • GetLastError.KERNEL32(?,?,?,?,01013E1D,00000001,00000000,000000B9,00000000,?,?,?,000000B9,00000000,00000001,00000000), ref: 01013B3A
                                            Strings
                                            • apply.cpp, xrefs: 0101399E, 01013B64
                                            • Failed to load compatible package on per-machine package., xrefs: 01013ABE
                                            • Failed to execute compatible package action., xrefs: 01013AD2
                                            • Failed to execute package provider registration action., xrefs: 01013A7D
                                            • Failed to get cache thread exit code., xrefs: 010139A8
                                            • Failed to execute MSI package., xrefs: 01013A02
                                            • Failed to execute MSU package., xrefs: 01013A62
                                            • Failed to execute EXE package., xrefs: 010139D7
                                            • Failed to execute dependency action., xrefs: 01013A98
                                            • Invalid execute action., xrefs: 01013B0D
                                            • Failed to execute MSP package., xrefs: 01013A2D
                                            • Cache thread exited unexpectedly., xrefs: 01013B30
                                            • Failed to wait for cache check-point., xrefs: 01013B6E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CodeExitMultipleObjectsThreadWait
                                            • String ID: Cache thread exited unexpectedly.$Failed to execute EXE package.$Failed to execute MSI package.$Failed to execute MSP package.$Failed to execute MSU package.$Failed to execute compatible package action.$Failed to execute dependency action.$Failed to execute package provider registration action.$Failed to get cache thread exit code.$Failed to load compatible package on per-machine package.$Failed to wait for cache check-point.$Invalid execute action.$apply.cpp
                                            • API String ID: 3703294532-2662572847
                                            • Opcode ID: 891c29abaf6227c7822b505ad68b595f1ff90fd8e7b59b8a619373f1f92eda13
                                            • Instruction ID: 03f33a8962fa5f62e3dad7d8a052e045af4500c094a11be63ba694d3aee9a437
                                            • Opcode Fuzzy Hash: 891c29abaf6227c7822b505ad68b595f1ff90fd8e7b59b8a619373f1f92eda13
                                            • Instruction Fuzzy Hash: D8716C75A0420AEFDB15DFA4D8909AE7BB9FF44320F2040A9F985EF244E779DA00DB50
                                            Function 00FF8019 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 208COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF808E
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF81B4
                                            Strings
                                            • MsiProductSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00FF8237
                                            • Language, xrefs: 00FF8065
                                            • State, xrefs: 00FF805C
                                            • Failed to get product info., xrefs: 00FF81A0
                                            • Failed to find product for UpgradeCode: %ls, xrefs: 00FF80C0
                                            • Unsupported product search type: %u, xrefs: 00FF804C
                                            • Product not found: %ls, xrefs: 00FF816C
                                            • Trying per-user extended info for property '%ls' for product: %ls, xrefs: 00FF8141
                                            • Failed to format upgrade code string., xrefs: 00FF8099
                                            • Failed to change value type., xrefs: 00FF8209
                                            • No products found for UpgradeCode: %ls, xrefs: 00FF80D6
                                            • Failed to format product code string., xrefs: 00FF81C3
                                            • Failed to set variable., xrefs: 00FF8227
                                            • VersionString, xrefs: 00FF806E
                                            • Trying per-machine extended info for property '%ls' for product: %ls, xrefs: 00FF8113
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Open@16
                                            • String ID: Failed to change value type.$Failed to find product for UpgradeCode: %ls$Failed to format product code string.$Failed to format upgrade code string.$Failed to get product info.$Failed to set variable.$Language$MsiProductSearch failed: ID '%ls', HRESULT 0x%x$No products found for UpgradeCode: %ls$Product not found: %ls$State$Trying per-machine extended info for property '%ls' for product: %ls$Trying per-user extended info for property '%ls' for product: %ls$Unsupported product search type: %u$VersionString
                                            • API String ID: 3613110473-2367264253
                                            • Opcode ID: 56474a27dac2529dd82bc4a8cb899df1f35be21c51b57271ff0fe754f067d41f
                                            • Instruction ID: c4b7fd9ededdbd331fd93ac37cab775223cbc5599c27bfd93705ad8af2184364
                                            • Opcode Fuzzy Hash: 56474a27dac2529dd82bc4a8cb899df1f35be21c51b57271ff0fe754f067d41f
                                            • Instruction Fuzzy Hash: 7961E372D0062EBADF11AF94CC06FFEBA74AF14390F544255EA40BA160DB759E06AB90
                                            Function 010175F8 Relevance: 30.0, APIs: 10, Strings: 7, Instructions: 205networkfilememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,C0000000,00000004,00000000,00000004,00000080,00000000,?,00000000,?,?,?,000000FF,?), ref: 01017630
                                            • GetLastError.KERNEL32 ref: 0101763E
                                            • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 01017690
                                            • GetLastError.KERNEL32 ref: 0101769D
                                            • InternetCloseHandle.WININET(00000000), ref: 0101772C
                                            • InternetCloseHandle.WININET(?), ref: 0101773D
                                            • InternetCloseHandle.WININET(?), ref: 01017820
                                            • InternetCloseHandle.WININET(00000000), ref: 0101782E
                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0101784F
                                            • CloseHandle.KERNEL32(000000FF), ref: 0101785E
                                            Strings
                                            • Failed to request URL for download: %ls, xrefs: 010177FF
                                            • Failed to create download destination file: %ls, xrefs: 01017670
                                            • Failed to allocate range request header., xrefs: 010177EE
                                            • downloadengine.cpp, xrefs: 01017663, 010176C2
                                            • Failed to allocate buffer to download files into., xrefs: 010176CC
                                            • Failed while reading from internet and writing to: %ls, xrefs: 01017809
                                            • GET, xrefs: 0101775E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$Internet$ErrorLastVirtual$AllocCreateFileFree
                                            • String ID: Failed to allocate buffer to download files into.$Failed to allocate range request header.$Failed to create download destination file: %ls$Failed to request URL for download: %ls$Failed while reading from internet and writing to: %ls$GET$downloadengine.cpp
                                            • API String ID: 424062026-2629732388
                                            • Opcode ID: 15c836d797e683119e158a3cef7eaf40e9397179eb38e2247d4b7039a022a063
                                            • Instruction ID: 9cebe344330e7ae155e30566ca7108892ffd91ba02e6abcd2e3ad20cfa24ca96
                                            • Opcode Fuzzy Hash: 15c836d797e683119e158a3cef7eaf40e9397179eb38e2247d4b7039a022a063
                                            • Instruction Fuzzy Hash: 8F71497290021AEFDF21AF98CC859ED7BB5BF08304F20457AFA91B6154D7398A80DB91
                                            Function 00FF6AAD Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 144registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000), ref: 00FF6C1B
                                              • Part of subcall function 01024111: RegSetValueExW.KERNELBASE(00020006,?,00000000,00000001,?,00000000,?,000000FF,00000000,00000001,?,?,00FF6994,00000000,?,00020006), ref: 01024144
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseValue
                                            • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled$UninstallString
                                            • API String ID: 3132538880-2375234059
                                            • Opcode ID: 30722ce6b3f5dc651556d2849b145e16f5a2e2aeab8a9ec09e7deed0b479a590
                                            • Instruction ID: 026e6c113d53f31a5d2b9888f007b243408793aba360ce94807984121162885f
                                            • Opcode Fuzzy Hash: 30722ce6b3f5dc651556d2849b145e16f5a2e2aeab8a9ec09e7deed0b479a590
                                            • Instruction Fuzzy Hash: 9A414576A0063EBACB125650CD41EAFB97ADF947A4B210064FA88E7321DF35ED01B750
                                            Function 00FF18B9 Relevance: 28.2, APIs: 4, Strings: 12, Instructions: 185windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • IsWindow.USER32(?), ref: 00FF1AC3
                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FF1AD6
                                            • CloseHandle.KERNEL32(00000000,?,?,?,00FF1E12,?), ref: 00FF1AE5
                                            Strings
                                            • Failed to open log., xrefs: 00FF18ED
                                            • Failed to set layout directory variable to value provided from command-line., xrefs: 00FF1A51
                                            • Failed while running , xrefs: 00FF1A75
                                            • Failed to initialize internal cache functionality., xrefs: 00FF190A
                                            • Failed to create the message window., xrefs: 00FF19E3
                                            • Failed to connect to elevated parent process., xrefs: 00FF194B
                                            • Failed to set registration variables., xrefs: 00FF1A29
                                            • Failed to set action variables., xrefs: 00FF1A0F
                                            • Failed to query registration., xrefs: 00FF19F9
                                            • Failed to check global conditions, xrefs: 00FF1997
                                            • WixBundleLayoutDirectory, xrefs: 00FF1A40
                                            • Failed to create pipes to connect to elevated parent process., xrefs: 00FF1935
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandleMessagePostWindow
                                            • String ID: Failed to check global conditions$Failed to connect to elevated parent process.$Failed to create pipes to connect to elevated parent process.$Failed to create the message window.$Failed to initialize internal cache functionality.$Failed to open log.$Failed to query registration.$Failed to set action variables.$Failed to set layout directory variable to value provided from command-line.$Failed to set registration variables.$Failed while running $WixBundleLayoutDirectory
                                            • API String ID: 3586352542-3026528549
                                            • Opcode ID: 6f005f0c936b2b16731b08e49b7f53c07b6c6cf108768aad12a264ee583a1fb5
                                            • Instruction ID: 0b185698ffdb6d738495d48e28ee82b6d622f03d4e13c02324a0ad1355c1aef2
                                            • Opcode Fuzzy Hash: 6f005f0c936b2b16731b08e49b7f53c07b6c6cf108768aad12a264ee583a1fb5
                                            • Instruction Fuzzy Hash: E651D63254170EFADB32DA60CC45FBB73A9BF50350F244419F29A96160EB78EA44BB50
                                            Function 0101786C Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 171networkfileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetOpenW.WININET(Burn,00000000,00000000,00000000,00000000), ref: 010178CA
                                            • GetLastError.KERNEL32 ref: 010178D7
                                            • InternetCloseHandle.WININET(00000000), ref: 01017A30
                                              • Part of subcall function 01027AC0: RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000000,00000000), ref: 01027B11
                                            • InternetSetOptionW.WININET(00000000,00000002,?,00000004), ref: 01017943
                                            • InternetSetOptionW.WININET(00000000,00000006,?,00000004), ref: 01017950
                                            • InternetSetOptionW.WININET(00000000,00000005,?,00000004), ref: 0101795D
                                              • Part of subcall function 010175F8: CreateFileW.KERNEL32(?,C0000000,00000004,00000000,00000004,00000080,00000000,?,00000000,?,?,?,000000FF,?), ref: 01017630
                                              • Part of subcall function 010175F8: GetLastError.KERNEL32 ref: 0101763E
                                              • Part of subcall function 010175F8: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0101784F
                                              • Part of subcall function 010175F8: CloseHandle.KERNEL32(000000FF), ref: 0101785E
                                            • DeleteFileW.KERNEL32(?,?,000000FF,00000000,?,00000001,?,?,?,?,?,?,?,00000078,000000FF,?), ref: 01017A06
                                            • CloseHandle.KERNEL32(000000FF,?,000000FF,00000000,?,00000001,?,?,?,?,?,?,?,00000078,000000FF,?), ref: 01017A15
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Internet$Close$HandleOption$ErrorFileLast$CreateDeleteFreeOpenVirtual
                                            • String ID: Burn$DownloadTimeout$Failed to copy download source URL.$Failed to download URL: %ls$Failed to get size and time for URL: %ls$Failed to open internet session$WiX\Burn$downloadengine.cpp
                                            • API String ID: 328221957-1870125225
                                            • Opcode ID: c084432ce07cf630692716b395aa20cfad733219f3b055da9b68202648b10a93
                                            • Instruction ID: 1e9420e3645fea7887f7b2f6544be8c2b15848c1b652c44936b263f1090e4d97
                                            • Opcode Fuzzy Hash: c084432ce07cf630692716b395aa20cfad733219f3b055da9b68202648b10a93
                                            • Instruction Fuzzy Hash: EF513972D0021AFFDF129FD4CC819EEBBB9FB08300F50456AFA54B6064D37A9A549B91
                                            Function 01014A6D Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 266COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • _memcpy_s.LIBCMT ref: 01014BE7
                                            Strings
                                            • Failed to copy download source for passthrough pseudo bundle., xrefs: 01014CAB
                                            • Failed to copy related arguments for passthrough bundle package, xrefs: 01014D6C
                                            • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 01014AB1
                                            • Failed to copy key for passthrough pseudo bundle payload., xrefs: 01014C8D
                                            • Failed to recreate command-line arguments., xrefs: 01014D30
                                            • pseudobundle.cpp, xrefs: 01014AA4, 01014C79, 01014CC0
                                            • Failed to copy local source path for passthrough pseudo bundle., xrefs: 01014CA1
                                            • Failed to copy key for passthrough pseudo bundle., xrefs: 01014C64
                                            • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 01014D90
                                            • Failed to copy filename for passthrough pseudo bundle., xrefs: 01014C97
                                            • Failed to allocate memory for pseudo bundle payload hash., xrefs: 01014CCD
                                            • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 01014C86
                                            • Failed to copy install arguments for passthrough bundle package, xrefs: 01014D4E
                                            • Failed to copy cache id for passthrough pseudo bundle., xrefs: 01014CED
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateProcess_memcpy_s
                                            • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$pseudobundle.cpp
                                            • API String ID: 1343786421-115096447
                                            • Opcode ID: 3323673a094533edf37e43a16d29cc3e09b5bfba96d55b9708b527c59971385e
                                            • Instruction ID: 3f8af028d9bc7af97922b0acfd6c277e30598829bc53f763e6f10e85aaeae23c
                                            • Opcode Fuzzy Hash: 3323673a094533edf37e43a16d29cc3e09b5bfba96d55b9708b527c59971385e
                                            • Instruction Fuzzy Hash: AEB17974600B06EFDB51DFA5C880F9ABBF8BF48344F10855AE999DB265E734E911CB80
                                            Function 01000A65 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 236COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to read action., xrefs: 01000AA8
                                            • Failed to read package log., xrefs: 01000B0F
                                            • Failed to read UI level., xrefs: 01000B43
                                            • Failed to read rollback flag., xrefs: 01000C73
                                            • Failed to read count of ordered patches., xrefs: 01000B7B
                                            • Failed to read variables., xrefs: 01000C36
                                            • Failed to allocate memory for ordered patches., xrefs: 01000BB7
                                            • Failed to find package: %ls, xrefs: 01000ACA
                                            • Failed to read parent hwnd., xrefs: 01000AE9
                                            • Failed to read ordered patch order number., xrefs: 01000C3D
                                            • elevation.cpp, xrefs: 01000BAD
                                            • Failed to find ordered patch package: %ls, xrefs: 01000C4E
                                            • Failed to read ordered patch package id., xrefs: 01000C44
                                            • Failed to execute MSP package., xrefs: 01000C9E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to allocate memory for ordered patches.$Failed to execute MSP package.$Failed to find ordered patch package: %ls$Failed to find package: %ls$Failed to read UI level.$Failed to read action.$Failed to read count of ordered patches.$Failed to read ordered patch order number.$Failed to read ordered patch package id.$Failed to read package log.$Failed to read parent hwnd.$Failed to read rollback flag.$Failed to read variables.$elevation.cpp
                                            • API String ID: 2102423945-908036492
                                            • Opcode ID: edfd1b6f37db5e52a93b587b76445914a57e0e4fb95074eb47e64ea9281c441c
                                            • Instruction ID: 3d0d8fe09e9062d77b4e43baa9a175c775eb845f8bd07a78258ad03b44821adc
                                            • Opcode Fuzzy Hash: edfd1b6f37db5e52a93b587b76445914a57e0e4fb95074eb47e64ea9281c441c
                                            • Instruction Fuzzy Hash: C4716E72D0066EBAEB13DBD1CC50EEFBABCAB44750F010156F981BA284DB75DB4087A1
                                            Function 010180B2 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 207stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,00000000,?,?,?,?,00000000,?,?,?,00000000,?,00000000), ref: 010180CE
                                            Strings
                                            • Failed to copy download URL., xrefs: 01018115
                                            • Failed to complete BITS job., xrefs: 0101828E
                                            • Failed to create BITS job callback., xrefs: 010181EA
                                            • Failed while waiting for BITS download., xrefs: 0101827B
                                            • Falied to start BITS job., xrefs: 01018274
                                            • Invalid BITS engine URL: %ls, xrefs: 010180F0
                                            • Failed to set credentials for BITS job., xrefs: 01018186
                                            • bitsengine.cpp, xrefs: 010180E4, 010181E0
                                            • Failed to download BITS job., xrefs: 0101826D
                                            • Failed to create BITS job., xrefs: 01018160
                                            • Failed to set callback interface for BITS job., xrefs: 01018210
                                            • Failed to add file to BITS job., xrefs: 010181A2
                                            • Failed to initialize BITS job callback., xrefs: 010181F9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: lstrlen
                                            • String ID: Failed to add file to BITS job.$Failed to complete BITS job.$Failed to copy download URL.$Failed to create BITS job callback.$Failed to create BITS job.$Failed to download BITS job.$Failed to initialize BITS job callback.$Failed to set callback interface for BITS job.$Failed to set credentials for BITS job.$Failed while waiting for BITS download.$Falied to start BITS job.$Invalid BITS engine URL: %ls$bitsengine.cpp
                                            • API String ID: 1659193697-2382896028
                                            • Opcode ID: 10b027294839b3b64548aac83d98ffc1145918ae53a34108bf5ce55324e25cb6
                                            • Instruction ID: 7b26d0da0240611e418aea1e08877dfcb64861099406e6416030abda3954d9a1
                                            • Opcode Fuzzy Hash: 10b027294839b3b64548aac83d98ffc1145918ae53a34108bf5ce55324e25cb6
                                            • Instruction Fuzzy Hash: 4A61E932E40625EFCB139F94C884EEE7BB9AF44710F10815BFD85AB259D7799E008B91
                                            Function 01017363 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 173networkstringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • InternetCloseHandle.WININET(00000000), ref: 01017388
                                            • InternetCloseHandle.WININET(00000000), ref: 01017396
                                            • InternetConnectW.WININET(?,00000000,?,00000000,?,?,00000000,00000000), ref: 010173F5
                                            • lstrlenW.KERNEL32(00000000), ref: 01017420
                                            • InternetSetOptionW.WININET(00000000,0000002B,00000000,00000000), ref: 0101742D
                                            • lstrlenW.KERNEL32(00000001), ref: 01017436
                                            • InternetSetOptionW.WININET(00000000,0000002C,00000001,00000000), ref: 0101743F
                                            • InternetCloseHandle.WININET(00000000), ref: 010174B4
                                            • InternetCloseHandle.WININET(00000000), ref: 010174BF
                                            • GetLastError.KERNEL32 ref: 010174DC
                                            Strings
                                            • Failed to send request to URL: %ls, xrefs: 01017528
                                            • Failed to open internet URL: %ls, xrefs: 0101751C
                                            • downloadengine.cpp, xrefs: 01017501
                                            • Failed to connect to URL: %ls, xrefs: 01017510
                                            • Failed to break URL into server and resource parts., xrefs: 010174CD
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Internet$CloseHandle$Optionlstrlen$ConnectErrorLast
                                            • String ID: Failed to break URL into server and resource parts.$Failed to connect to URL: %ls$Failed to open internet URL: %ls$Failed to send request to URL: %ls$downloadengine.cpp
                                            • API String ID: 1028609564-2897276973
                                            • Opcode ID: 93056cb36f2a39acd0c469a2b5144340df341be60fae86de74fdced7c2a7b599
                                            • Instruction ID: c4bb75ad8cef02c9786ea01db319722e514184bdcc385a4e0326038621d43518
                                            • Opcode Fuzzy Hash: 93056cb36f2a39acd0c469a2b5144340df341be60fae86de74fdced7c2a7b599
                                            • Instruction Fuzzy Hash: 6E51933290021AEFDF229F98CC80DEE7BB6FF88700F258065FA41A7154DB799D419B51
                                            Function 00FF58D8 Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 163COMMON
                                            Download Yara Rule
                                            APIs
                                            • SysFreeString.OLEAUT32(?), ref: 00FF5A4F
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • SysFreeString.OLEAUT32(?), ref: 00FF5A09
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FreeHeapString$AllocateProcess
                                            • String ID: Failed to allocate memory for software tag structs.$Failed to convert SoftwareTag text to UTF-8$Failed to get @Filename.$Failed to get @Regid.$Failed to get SoftwareTag text.$Failed to get next node.$Failed to get software tag count.$Failed to select software tag nodes.$Filename$Regid$SoftwareTag$`<u$registration.cpp
                                            • API String ID: 336948655-2653194374
                                            • Opcode ID: 88a2696ce0d27ae27f1836742654d947557f5f2ee369ae0e51667b5d7cf93f9f
                                            • Instruction ID: 93ae79002e5c99c67c0b1091cf58bb027c1967be671838623f6cba7b93839fc6
                                            • Opcode Fuzzy Hash: 88a2696ce0d27ae27f1836742654d947557f5f2ee369ae0e51667b5d7cf93f9f
                                            • Instruction Fuzzy Hash: B2515E72D0062EEFCB10EFA4CCC48BDB7B5AF08B11B548569EB41FB220D6355E51AB50
                                            Function 0100EEA6 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 144serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,00000002,?,?,?,?,?,?,?,?,?,0100F2A5,?), ref: 0100EED7
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0100F2A5,?,?), ref: 0100EEE4
                                            • OpenServiceW.ADVAPI32(00000000,wuauserv,00000027,?,?,?,?,?,?,?,?,?,0100F2A5,?,?), ref: 0100EF25
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0100F2A5,?,?), ref: 0100EF32
                                            • QueryServiceStatus.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,0100F2A5,?,?), ref: 0100EF70
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0100F2A5,?,?), ref: 0100EF7A
                                              • Part of subcall function 0100EDC2: ChangeServiceConfigW.ADVAPI32(?,000000FF,00000003,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,00000000,?,0100EFF9,?), ref: 0100EDDC
                                              • Part of subcall function 0100EDC2: GetLastError.KERNEL32(?,0100EFF9,?,00000003,?,?), ref: 0100EDE6
                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0100F039
                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 0100F044
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Service$ErrorLast$CloseHandleOpen$ChangeConfigManagerQueryStatus
                                            • String ID: Failed to mark WU service to start on demand.$Failed to open WU service.$Failed to open service control manager.$Failed to query status of WU service.$Failed to read configuration for WU service.$msuengine.cpp$wuauserv
                                            • API String ID: 2017831661-301359130
                                            • Opcode ID: 49241514dbafae89613816ce88fbe3900b177208cb002a43270735d8d6c5a758
                                            • Instruction ID: 130eb1906bdeaac526daf4588d86b0171fa696a8c3e378b1ca6f594c6cfacc8b
                                            • Opcode Fuzzy Hash: 49241514dbafae89613816ce88fbe3900b177208cb002a43270735d8d6c5a758
                                            • Instruction Fuzzy Hash: FA41C632E0062ADBEB33DB65C805BEEBBF4AF04710F150569F580FA190DB799D409B95
                                            Function 01024328 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 66libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0102303C: _memset.LIBCMT ref: 01023063
                                              • Part of subcall function 0102303C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01023078
                                              • Part of subcall function 0102303C: LoadLibraryW.KERNELBASE(?,?,00000104,00FF1C3B), ref: 010230C6
                                              • Part of subcall function 0102303C: GetLastError.KERNEL32 ref: 010230D2
                                            • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,0000011C), ref: 01024357
                                            • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 01024376
                                            • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 01024395
                                            • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 010243B4
                                            • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 010243D3
                                            • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 010243F2
                                            • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 01024411
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressProc$DirectoryErrorLastLibraryLoadSystem_memset
                                            • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                            • API String ID: 3669249573-1735120554
                                            • Opcode ID: 5dd86257b6fdb2d40b87fc8fe0e33e93b0412647cf3c9854a5d341a1ebd51532
                                            • Instruction ID: 19b06215079f0c1b0b67ad12affdeb5b35b9c451325eefefebe253982c662139
                                            • Opcode Fuzzy Hash: 5dd86257b6fdb2d40b87fc8fe0e33e93b0412647cf3c9854a5d341a1ebd51532
                                            • Instruction Fuzzy Hash: 1D21DFF9A602219FD732DF27BEC18243AA5F78D70531046ABE4C096228E7FB1C418F90
                                            Function 0100828F Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 239COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$Failed to move file pointer to beginning of file.$cache.cpp
                                            • API String ID: 2102423945-1888235766
                                            • Opcode ID: ddc37dc3cea804320352ad5083f8e0e4c3e486c45fe8850f85718f465e69a3c3
                                            • Instruction ID: 4c6b3fff9a6386a79e8557a112b4e520f0f39efdbc76cf36596e522a9ed00711
                                            • Opcode Fuzzy Hash: ddc37dc3cea804320352ad5083f8e0e4c3e486c45fe8850f85718f465e69a3c3
                                            • Instruction Fuzzy Hash: C2814572D0022A9FDB21DF94CC80AEEBBF8BF18350F14816AE685F7290D67559458B91
                                            Function 01006110 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 151memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GdipAlloc.GDIPLUS(00000010), ref: 01006130
                                              • Part of subcall function 010060E0: GdipCreateBitmapFromResource.GDIPLUS(?,?,00000000), ref: 010060FB
                                            • GetCursorPos.USER32(?), ref: 010061C8
                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 010061DE
                                            • _memset.LIBCMT ref: 010061F8
                                            • GetMonitorInfoW.USER32(00000000,?), ref: 01006208
                                            • CreateDCW.GDI32(DISPLAY,?,00000000,00000000), ref: 0100621F
                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 01006234
                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0100623C
                                            • ReleaseDC.USER32(00000000,00000000), ref: 01006263
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CapsCreateDeviceFromGdipMonitor$AllocBitmapCursorInfoPointReleaseResource_memset
                                            • String ID: DISPLAY$Failed to find the splash screen bitmap.$Failed to load the splash screen bitmap.$splashscreen.cpp
                                            • API String ID: 1792097070-2523976841
                                            • Opcode ID: 9bb3d3551f9261e1a209cc77ab65acbd18786411195ad68d215eab7792f4647f
                                            • Instruction ID: 7c478b64092ca6a047113fd74f40289ee807a205f3ae7199634e0605c058cb4d
                                            • Opcode Fuzzy Hash: 9bb3d3551f9261e1a209cc77ab65acbd18786411195ad68d215eab7792f4647f
                                            • Instruction Fuzzy Hash: 16419071A007069FE721DFB9CC85F9EB7F9AB44700F14892DE595EB281DBB6E8008B10
                                            Function 00FF780F Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 140registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF7843
                                            • RegCloseKey.ADVAPI32(?,00000000,?,?,00FF8B52,?), ref: 00FF7999
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF788B
                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00FF8B52,00000000,00000000,?,?,?,00000000,?,?,00000001,?,?,?), ref: 00FF78D8
                                            Strings
                                            • RegistrySearchExists failed: ID '%ls', HRESULT 0x%x, xrefs: 00FF7968
                                            • Registry key not found. Key = '%ls'; variable = '%ls', xrefs: 00FF78AE
                                            • Failed to format key string., xrefs: 00FF784E
                                            • Failed to format value string., xrefs: 00FF7896
                                            • search.cpp, xrefs: 00FF7909
                                            • Failed to set variable., xrefs: 00FF7953
                                            • Failed to query registry key value., xrefs: 00FF7913
                                            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 00FF7920
                                            • Failed to open registry key. Key = '%ls', xrefs: 00FF78B8
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Open@16$CloseOpenQueryValue
                                            • String ID: Failed to format key string.$Failed to format value string.$Failed to open registry key. Key = '%ls'$Failed to query registry key value.$Failed to set variable.$Registry key not found. Key = '%ls'; variable = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchExists failed: ID '%ls', HRESULT 0x%x$search.cpp
                                            • API String ID: 3932663376-1654530643
                                            • Opcode ID: 27eb454fcc971a7e17aa508053dd196e1d22b009c2ca7259a364085557df4d14
                                            • Instruction ID: 10fce2c552c33c7952197d6521257bba481ff59fa530193a0b07b0dbc2b55689
                                            • Opcode Fuzzy Hash: 27eb454fcc971a7e17aa508053dd196e1d22b009c2ca7259a364085557df4d14
                                            • Instruction Fuzzy Hash: 0941AC72D0431EBBCF21BEA4CC85DBEFABAEF14740F24446DF341A6120D6B94A51AB50
                                            Function 01001D65 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 118COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 01001D89
                                            • GetTempPathW.KERNEL32(00000104,?,?,00000001,00000009), ref: 01001DB6
                                            • GetLastError.KERNEL32(?,00000001,00000009), ref: 01001DC0
                                            • GetCurrentProcessId.KERNEL32(?,?,00000104,?,?,00000001,00000009), ref: 01001E24
                                            • ProcessIdToSessionId.KERNEL32(00000000,?,00000001,00000009), ref: 01001E2B
                                            Strings
                                            • Failed to get length of temp folder., xrefs: 01001E13
                                            • logging.cpp, xrefs: 01001DE5
                                            • %u\, xrefs: 01001E45
                                            • Failed to format session id as a string., xrefs: 01001E59
                                            • Failed to get temp folder., xrefs: 01001DEF
                                            • Failed to copy temp folder., xrefs: 01001ED6
                                            • Failed to get length of session id string., xrefs: 01001E7D
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Process$CurrentErrorLastPathSessionTemp_memset
                                            • String ID: %u\$Failed to copy temp folder.$Failed to format session id as a string.$Failed to get length of session id string.$Failed to get length of temp folder.$Failed to get temp folder.$logging.cpp
                                            • API String ID: 1047854834-1016737523
                                            • Opcode ID: 79dcb310a6341de05e773cbc8a99a01467d3659ac3d3bd26ff554eba192c2b04
                                            • Instruction ID: 1fdf03751aaf308de1fecc8c2fd74ad4dfcf8d1408d1ac1d60ef045f60382426
                                            • Opcode Fuzzy Hash: 79dcb310a6341de05e773cbc8a99a01467d3659ac3d3bd26ff554eba192c2b04
                                            • Instruction Fuzzy Hash: 3641CA71D8013DABDB31AB659C8CEEEB7BCAB54310F5006D5E498E3190E7748E818F90
                                            Function 010005A4 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 200COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to execute EXE package., xrefs: 01000766
                                            • Failed to allocate the list of ancestors., xrefs: 0100073E
                                            • Failed to read the list of dependencies to ignore., xrefs: 01000671
                                            • Failed to read action., xrefs: 0100060E
                                            • Failed to read rollback., xrefs: 0100062F
                                            • Failed to read variables., xrefs: 010006B2
                                            • Failed to allocate the list of dependencies to ignore., xrefs: 0100071A
                                            • Failed to read exe package execution mode., xrefs: 01000650
                                            • Failed to read exe package., xrefs: 010005ED
                                            • Failed to read the list of ancestors., xrefs: 01000692
                                            • Failed to find package: %ls, xrefs: 010006ED
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to allocate the list of ancestors.$Failed to allocate the list of dependencies to ignore.$Failed to execute EXE package.$Failed to find package: %ls$Failed to read action.$Failed to read exe package execution mode.$Failed to read exe package.$Failed to read rollback.$Failed to read the list of ancestors.$Failed to read the list of dependencies to ignore.$Failed to read variables.
                                            • API String ID: 2102423945-2912315823
                                            • Opcode ID: 53f5b8476b9a9b9cf4b35933545038206abdccdbfbc3b64fd65dfa2f632cce0a
                                            • Instruction ID: 0c014d2fcb60f686ae7b0de6edc9be9bf52a10cfd9d068ccce4b02c4c0f9bb57
                                            • Opcode Fuzzy Hash: 53f5b8476b9a9b9cf4b35933545038206abdccdbfbc3b64fd65dfa2f632cce0a
                                            • Instruction Fuzzy Hash: 13517172C0052EAEEF13EA94CC80DFEBABDBB54290F110166F995A7094E7354E419B91
                                            Function 00FF9DAB Relevance: 21.2, APIs: 2, Strings: 12, Instructions: 151COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(00000001,00FF1D56,00000000,00000000,?,00FFA737,00FF2222,00FF1E8E,00000000,00000001), ref: 00FF9DB8
                                              • Part of subcall function 00FF8E6B: CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,?,000000FF,?,00000000,00000030,00FF9837,?,00FFADF8,?,00000030,00000000,00000030), ref: 00FF8EA4
                                            • LeaveCriticalSection.KERNEL32(00000001,00000008,WixBundleElevated,00000001,00000000,00000000,?,00FFA737,00FF2222,00FF1E8E,00000000,00000001), ref: 00FF9F3A
                                            Strings
                                            • Setting hidden variable '%ls', xrefs: 00FF9E7F
                                            • Setting numeric variable '%ls' to value %lld, xrefs: 00FF9EFF
                                            • Unsetting variable '%ls', xrefs: 00FF9EDB
                                            • Setting version variable '%ls' to value '%hu.%hu.%hu.%hu', xrefs: 00FF9EC0
                                            • Setting string variable '%ls' to value '%ls', xrefs: 00FF9EE6
                                            • Failed to insert variable '%ls'., xrefs: 00FF9E08
                                            • Attempt to set built-in variable value: %ls, xrefs: 00FF9E4D
                                            • Failed to find variable value '%ls'., xrefs: 00FF9DD6
                                            • variable.cpp, xrefs: 00FF9E40
                                            • Setting variable failed: ID '%ls', HRESULT 0x%x, xrefs: 00FF9F4E
                                            • Failed to set value of variable: %ls, xrefs: 00FF9F28
                                            • WixBundleElevated, xrefs: 00FF9DE9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$CompareEnterLeaveString
                                            • String ID: Attempt to set built-in variable value: %ls$Failed to find variable value '%ls'.$Failed to insert variable '%ls'.$Failed to set value of variable: %ls$Setting hidden variable '%ls'$Setting numeric variable '%ls' to value %lld$Setting string variable '%ls' to value '%ls'$Setting variable failed: ID '%ls', HRESULT 0x%x$Setting version variable '%ls' to value '%hu.%hu.%hu.%hu'$Unsetting variable '%ls'$WixBundleElevated$variable.cpp
                                            • API String ID: 2612025200-3866887438
                                            • Opcode ID: 9d8d7c71607983c6fce566a11e43a32d7a9661da37469f3c7c8ab7a84abf6e6a
                                            • Instruction ID: 3e93d938e2a67e6e38b1c11ed3b66599cad88aad2786e6fba9026cf818732ba8
                                            • Opcode Fuzzy Hash: 9d8d7c71607983c6fce566a11e43a32d7a9661da37469f3c7c8ab7a84abf6e6a
                                            • Instruction Fuzzy Hash: 09511731A0921EBBCF259F00CC41FBA7769EF54710F008119FA899E2A1D3B5DE50EBA1
                                            Function 0100945B Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 120fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,00000000,00000000,?,?,01009B9C,00000000,?,00000000,?), ref: 01009476
                                            • GetLastError.KERNEL32(?,?,01009B9C,00000000,?,00000000,?,?,00000000,00000000,?,?,?,00FFF210,?,?), ref: 01009484
                                              • Part of subcall function 0100828F: _memset.LIBCMT ref: 010082B9
                                              • Part of subcall function 0102602E: Sleep.KERNEL32(00000000,?,?,01007B9B,00000000,?,00000001,00000003,000007D0,?,?,01009CB4,00000000,00000000,00000000,00000000), ref: 01026045
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000003,000007D0,?,?), ref: 0100958D
                                            Strings
                                            • Failed to verify payload hash: %ls, xrefs: 01009511
                                            • Failed to copy %ls to %ls, xrefs: 0100957C
                                            • Failed to open payload in working path: %ls, xrefs: 010094B4
                                            • cache.cpp, xrefs: 010094A9
                                            • Copying, xrefs: 0100952C, 01009536
                                            • %ls payload from working path '%ls' to path '%ls', xrefs: 01009537
                                            • Moving, xrefs: 01009525
                                            • Failed to move %ls to %ls, xrefs: 01009566
                                            • Failed to verify payload signature: %ls, xrefs: 010094ED
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorFileHandleLastSleep_memset
                                            • String ID: %ls payload from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open payload in working path: %ls$Failed to verify payload hash: %ls$Failed to verify payload signature: %ls$Moving$cache.cpp
                                            • API String ID: 2828417756-1604654059
                                            • Opcode ID: 79cd52f437391523db80d95bd761361c74a285e94f3f87bda3bdee56a44eea81
                                            • Instruction ID: 59f34960ada045f077e23d4e605a9dfa4b5a3da9626455d41933ac442e49062c
                                            • Opcode Fuzzy Hash: 79cd52f437391523db80d95bd761361c74a285e94f3f87bda3bdee56a44eea81
                                            • Instruction Fuzzy Hash: B1315A72A41622BBF73315168C05FAF3A2CEF51B55F114155FD88BA1C2DA76DE0087E1
                                            Function 010043B2 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 280COMMON
                                            Download Yara Rule
                                            Strings
                                            • UX aborted plan related bundle., xrefs: 010046BA
                                            • Failed to add the package provider key "%ls" to the planned list., xrefs: 010046CB
                                            • Failed to lookup the bundle ID in the ancestors dictionary., xrefs: 0100469C
                                            • Failed to create string array from ancestors., xrefs: 010043EE
                                            • Unexpected relation type encountered during plan: %d, xrefs: 01004692
                                            • Failed to copy ancestors and self to related bundle ancestors., xrefs: 010044C2
                                            • plan.cpp, xrefs: 010046B0
                                            • Failed to create dictionary from ancestors array., xrefs: 0100440F
                                            • Failed to copy self to related bundle ancestors., xrefs: 010046A3
                                            • %ls;%ls, xrefs: 010044AA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: %ls;%ls$Failed to add the package provider key "%ls" to the planned list.$Failed to copy ancestors and self to related bundle ancestors.$Failed to copy self to related bundle ancestors.$Failed to create dictionary from ancestors array.$Failed to create string array from ancestors.$Failed to lookup the bundle ID in the ancestors dictionary.$UX aborted plan related bundle.$Unexpected relation type encountered during plan: %d$plan.cpp
                                            • API String ID: 0-489706565
                                            • Opcode ID: 8afa091501611ccd21121ca18d216b710011ab7f2b085e1cd2a2101c3776a0e3
                                            • Instruction ID: e205b310bf977c7456e4f2b200322b1b2d9003d90cb52b2da02817361c59a599
                                            • Opcode Fuzzy Hash: 8afa091501611ccd21121ca18d216b710011ab7f2b085e1cd2a2101c3776a0e3
                                            • Instruction Fuzzy Hash: D7A17070A00306EFFB229F99CC80AAAB7F5FF58305F104469EB91E7192E7729950CB55
                                            Function 00FF9051 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00FF907F
                                              • Part of subcall function 00FF8FDA: _memset.LIBCMT ref: 00FF8FF2
                                              • Part of subcall function 00FF8FDA: GetVersionExW.KERNEL32(?,?,00000000,00FF909E), ref: 00FF9001
                                              • Part of subcall function 00FF8FDA: GetLastError.KERNEL32 ref: 00FF900B
                                            • GetLastError.KERNEL32 ref: 00FF90A2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast_memset$Version
                                            • String ID: Failed to get OS info.$Failed to set variant value.$variable.cpp
                                            • API String ID: 3644159973-1971907631
                                            • Opcode ID: 71f59525b192e0c323998707f25a2fb11794b8f8c27f032b79f2c17b29503193
                                            • Instruction ID: 98b82f0e672d9299af07381e6ed6b4b5dbe959df727febb98d2a5f9bd8b28239
                                            • Opcode Fuzzy Hash: 71f59525b192e0c323998707f25a2fb11794b8f8c27f032b79f2c17b29503193
                                            • Instruction Fuzzy Hash: B351BC72E0822DAADB309F758C89BFB7BB8EF49710F1044AAF645E7150D5B48E81DB50
                                            Function 01009350 Relevance: 19.3, APIs: 3, Strings: 8, Instructions: 97fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,08000000,00000000,00000000,?,?,01009ADD,?,?,?,?,00000000), ref: 0100936A
                                            • GetLastError.KERNEL32(?,?,01009ADD,?,?,?,?,00000000,00000000,00000000,?,?,00FFF1F1,?,?,?), ref: 0100937A
                                              • Part of subcall function 0102602E: Sleep.KERNEL32(00000000,?,?,01007B9B,00000000,?,00000001,00000003,000007D0,?,?,01009CB4,00000000,00000000,00000000,00000000), ref: 01026045
                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000003,000007D0,?,?,?), ref: 0100944E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorFileHandleLastSleep
                                            • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$cache.cpp
                                            • API String ID: 1275171361-1187406825
                                            • Opcode ID: b2f59fb79db2d9556e50c17ba0cebd64f74872e0f1b8cad893dc7d76d3c3d2f2
                                            • Instruction ID: 017765f8005c3f23f2ff7bd0e1328edac44a616e152a9c7d723b81ffa5fdd90f
                                            • Opcode Fuzzy Hash: b2f59fb79db2d9556e50c17ba0cebd64f74872e0f1b8cad893dc7d76d3c3d2f2
                                            • Instruction Fuzzy Hash: 89216871E403257AF63311158C4AF6F296CDB41B54F118158FD88BA2C2E6A5DD0081A5
                                            Function 010264B9 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 252fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000080,00000000,00000001,000000F9,00000000,00000000,?,?,?), ref: 01026537
                                            • GetLastError.KERNEL32 ref: 01026545
                                            • GetFileSizeEx.KERNEL32(?,?), ref: 010265AC
                                            • GetLastError.KERNEL32 ref: 010265B6
                                            • SetFilePointer.KERNEL32(?,?,?,00000001), ref: 0102660D
                                            • GetLastError.KERNEL32 ref: 01026618
                                            • ReadFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,?,00000001), ref: 010266E4
                                            • GetLastError.KERNEL32 ref: 01026729
                                            • CloseHandle.KERNEL32(000000FF), ref: 01026782
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLast$CloseCreateHandlePointerReadSize
                                            • String ID: fileutil.cpp
                                            • API String ID: 1273122604-2967768451
                                            • Opcode ID: aa81da9caa06a4c3e636335bdd35a5b3d6eab7a97df8732a0bbcd4d90113c7d7
                                            • Instruction ID: 7abb4f30a37d22a229bf0094c5f450c9321ca1f25e67b509be5805aa7191b18a
                                            • Opcode Fuzzy Hash: aa81da9caa06a4c3e636335bdd35a5b3d6eab7a97df8732a0bbcd4d90113c7d7
                                            • Instruction Fuzzy Hash: C581F871600236EBEB319E68DC88FAE37A5AB44710F254179FD91DB180EA7AC8518B61
                                            Function 0100546B Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 203COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(00000000,00000000,?,000000FF,00FF16FB,000000FF,?,00000000,00FF16FB), ref: 010054A5
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00FF139F,00FF139F,00FF139F,00FF139F,?,00000000), ref: 0100564E
                                            • GetLastError.KERNEL32 ref: 0100565B
                                            Strings
                                            • Failed to create syncpoint event., xrefs: 0100568F
                                            • Failed to append package start action., xrefs: 01005522
                                            • Failed to append payload cache action., xrefs: 01005639
                                            • Failed to append rollback cache action., xrefs: 0100557D
                                            • (, xrefs: 010054B2
                                            • Failed to append cache action., xrefs: 01005631
                                            • plan.cpp, xrefs: 01005685
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareCreateErrorEventLastString
                                            • String ID: ($Failed to append cache action.$Failed to append package start action.$Failed to append payload cache action.$Failed to append rollback cache action.$Failed to create syncpoint event.$plan.cpp
                                            • API String ID: 801187047-794669014
                                            • Opcode ID: db9768de31b58d6a0536c9077fdbb68515f77013af8835c936377bef0a11232e
                                            • Instruction ID: 3a1d4690909e4940770f16474a3add6fada0eebab961bdbf718011308517f746
                                            • Opcode Fuzzy Hash: db9768de31b58d6a0536c9077fdbb68515f77013af8835c936377bef0a11232e
                                            • Instruction Fuzzy Hash: 7D812874A01206EFEB16CFA8C894A9DBBF9FF08305F1045A9E591DB291D775EA40CF50
                                            Function 0102263E Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 195sleepfiletimeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 0102268D
                                            • GetTempPathW.KERNEL32(00000104,?,00000001,00000009,00000000), ref: 010226DC
                                            • GetLastError.KERNEL32 ref: 010226E6
                                            • GetLocalTime.KERNEL32(?,?,?,?,00000000,?), ref: 0102277F
                                            • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000001,00000080,00000000), ref: 0102280F
                                            • GetLastError.KERNEL32 ref: 01022820
                                            • Sleep.KERNEL32(00000064), ref: 01022832
                                            • CloseHandle.KERNEL32(000000FF), ref: 010228A1
                                            Strings
                                            • pathutil.cpp, xrefs: 0102270B
                                            • %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls, xrefs: 010227E1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CloseCreateFileHandleLocalPathSleepTempTime_memset
                                            • String ID: %ls_%04u%02u%02u%02u%02u%02u%ls%ls%ls$pathutil.cpp
                                            • API String ID: 820914711-1101990113
                                            • Opcode ID: d39c3d9963eec85bd35f8f7e11d1e2e38abc2d053656f2aef1ea52a52eebd5c8
                                            • Instruction ID: b25fdda76a20bd8388015f32fb0659b086c185ed8e2b744292b2761b90257997
                                            • Opcode Fuzzy Hash: d39c3d9963eec85bd35f8f7e11d1e2e38abc2d053656f2aef1ea52a52eebd5c8
                                            • Instruction Fuzzy Hash: B6719071901239ABDB71AFA8DC88AEDB7B4BB48710F2006E5F598A6150E7758EC0CF10
                                            Function 00FF51C5 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 147COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(0000007F,00000000,40680003,000000FF,00FF2146,000000FF,00FF2146,00FF1F0E,00FF2146,00FF21D2,00FF1E8E,00000000,00FF21D2,00FF1E8E,00FF1E22,00FFFF25), ref: 00FF5233
                                            Strings
                                            • payload.cpp, xrefs: 00FF52FF
                                            • Failed to ensure directory exists, xrefs: 00FF533D
                                            • X, xrefs: 00FF5242
                                            • Failed to extract file., xrefs: 00FF5344
                                            • Failed to get directory portion of local file path, xrefs: 00FF5336
                                            • Failed to concat file paths., xrefs: 00FF532F
                                            • Payload was not found in container: %ls, xrefs: 00FF530D
                                            • Failed to get next stream., xrefs: 00FF531D
                                            • Failed to find embedded payload: %ls, xrefs: 00FF5327
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString
                                            • String ID: Failed to concat file paths.$Failed to ensure directory exists$Failed to extract file.$Failed to find embedded payload: %ls$Failed to get directory portion of local file path$Failed to get next stream.$Payload was not found in container: %ls$X$payload.cpp
                                            • API String ID: 1825529933-3888727562
                                            • Opcode ID: 2aa7ddecf2f921a729876353b60581b0dc3171e5cee07bacb82288736de7f2ba
                                            • Instruction ID: 0cc9063da8830097a183c26a82ab60bb774ef5ecb64fec58a2b3cae98734dab2
                                            • Opcode Fuzzy Hash: 2aa7ddecf2f921a729876353b60581b0dc3171e5cee07bacb82288736de7f2ba
                                            • Instruction Fuzzy Hash: 3641C732900A2DEBCF119F59CC40BAE77B2BF54B60F254169EB94AB264D7B1DD40EB40
                                            Function 00FF28E3 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 118COMMON
                                            Download Yara Rule
                                            APIs
                                            • UuidCreate.RPCRT4(?), ref: 00FF291A
                                            • StringFromGUID2.OLE32(?,?,00000027), ref: 00FF292D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateFromStringUuid
                                            • String ID: BurnPipe.%s$Failed to allocate pipe name.$Failed to allocate pipe secret.$Failed to convert pipe guid into string.$Failed to create pipe guid.$pipe.cpp
                                            • API String ID: 4041566446-2510341293
                                            • Opcode ID: 2373233c9653e78e6378cc439d1871dde24710e0f9f7657046b91faecfa7f258
                                            • Instruction ID: b9cdce1792526c783a6b26693dafb7b29d4265132017c73be970ec38edab41b2
                                            • Opcode Fuzzy Hash: 2373233c9653e78e6378cc439d1871dde24710e0f9f7657046b91faecfa7f258
                                            • Instruction Fuzzy Hash: 3F31A032D4032DABEB60DBE5CD45FEEB7B8AF15320F204026E945FB254D6B49944EB90
                                            Function 01016C82 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 117networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HttpOpenRequestW.WININET(84400200,?,00000000,00000000,00000000,010460D8,84400200,00000000), ref: 01016CFF
                                            • GetLastError.KERNEL32(?,?,?,0101745A,00000000,00000000), ref: 01016D0B
                                            • HttpAddRequestHeadersW.WININET(00000000,00000000,000000FF,40000000), ref: 01016D59
                                            • GetLastError.KERNEL32(?,?,?,0101745A,00000000,00000000), ref: 01016D63
                                            • InternetCloseHandle.WININET(00000000), ref: 01016DAD
                                            Strings
                                            • downloadengine.cpp, xrefs: 01016D30, 01016D88
                                            • Failed to append query strong to resource from URI., xrefs: 01016CE4
                                            • Failed to allocate string for resource URI., xrefs: 01016CB8
                                            • Failed to add header to HTTP request., xrefs: 01016D92
                                            • Failed to open internet request., xrefs: 01016D3A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHttpLastRequest$CloseHandleHeadersInternetOpen
                                            • String ID: Failed to add header to HTTP request.$Failed to allocate string for resource URI.$Failed to append query strong to resource from URI.$Failed to open internet request.$downloadengine.cpp
                                            • API String ID: 3883690129-2273796897
                                            • Opcode ID: 5119bb2ebd787392729504e942e16be526c70aa9ed8f78cd28d992a9ae1f946b
                                            • Instruction ID: 6b461240ab20854635627d6157fce4f5c99bf789a637d1a88e5656b223afcb17
                                            • Opcode Fuzzy Hash: 5119bb2ebd787392729504e942e16be526c70aa9ed8f78cd28d992a9ae1f946b
                                            • Instruction Fuzzy Hash: 82312D71E4032ABFDB326EE5DC84DBF7EA8EF41B50B204015F591A6049DAFF898047A1
                                            Function 00FF988D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 107timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemTime.KERNEL32(?), ref: 00FF98B8
                                            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,00000000,00000000), ref: 00FF98D3
                                            • GetLastError.KERNEL32 ref: 00FF98DC
                                            • GetDateFormatW.KERNEL32(00000400,00000001,?,00000000,?,?,?,?), ref: 00FF9935
                                            • GetLastError.KERNEL32 ref: 00FF993B
                                            Strings
                                            • Failed to set variant value., xrefs: 00FF9980
                                            • variable.cpp, xrefs: 00FF98FC, 00FF995B
                                            • Failed to get the Date., xrefs: 00FF9965
                                            • Failed to get the required buffer length for the Date., xrefs: 00FF9906
                                            • Failed to allocate the buffer for the Date., xrefs: 00FF991F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: DateErrorFormatLast$SystemTime
                                            • String ID: Failed to allocate the buffer for the Date.$Failed to get the Date.$Failed to get the required buffer length for the Date.$Failed to set variant value.$variable.cpp
                                            • API String ID: 2700948981-3682088697
                                            • Opcode ID: 079180900b330c7e67ad2da105642a5fa180460c86e83bc766f1c0a3d1fda6f9
                                            • Instruction ID: e301e58de8c8af73e70a413e8d2ff38f2bb180613f454bfa41f25b666399f56b
                                            • Opcode Fuzzy Hash: 079180900b330c7e67ad2da105642a5fa180460c86e83bc766f1c0a3d1fda6f9
                                            • Instruction Fuzzy Hash: 0531A071E0430FAAEB219EA5CC81BBFB6ACAF58344F100039F740E5164EAE999449B51
                                            Function 01006669 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 98threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,?,?,?,00FF1E12,?), ref: 0100668B
                                            • GetLastError.KERNEL32(?,?,?,00FF1E12,?), ref: 01006698
                                            • CreateThread.KERNEL32(00000000,00000000,01006467,?,00000000,00000000), ref: 010066F0
                                            • GetLastError.KERNEL32(?,?,?,00FF1E12,?), ref: 010066FD
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,00FF1E12,?), ref: 01006741
                                            • CloseHandle.KERNEL32(00000001,?,?,?,00FF1E12,?), ref: 01006755
                                            • CloseHandle.KERNEL32(?,?,?,?,00FF1E12,?), ref: 01006762
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                            • String ID: Failed to create UI thread.$Failed to create modal event.$splashscreen.cpp
                                            • API String ID: 2351989216-1977201954
                                            • Opcode ID: 0fbc00364aea141cc3d8f405164c5034bdee24718ab4308ec3f3d3cbf6790190
                                            • Instruction ID: 33b85370142d1b8f143fe518ea28c3b37c1221826225cad4385bd742752a09e3
                                            • Opcode Fuzzy Hash: 0fbc00364aea141cc3d8f405164c5034bdee24718ab4308ec3f3d3cbf6790190
                                            • Instruction Fuzzy Hash: 4A312671D40215FEE7329FA8CC449EFBFB9EB84710F204165F995F6180E67A5A00CB90
                                            Function 00FF94F7 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 93COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 00FF951D
                                            • GetSystemWow64DirectoryW.KERNEL32(?,00000104), ref: 00FF9538
                                            • GetLastError.KERNEL32 ref: 00FF9542
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00FF9581
                                            • GetLastError.KERNEL32 ref: 00FF958B
                                            Strings
                                            • Failed to backslash terminate system folder., xrefs: 00FF95DE
                                            • Failed to get 32-bit system folder., xrefs: 00FF957A
                                            • variable.cpp, xrefs: 00FF9570, 00FF95B0
                                            • Failed to set system folder variant value., xrefs: 00FF95FA
                                            • Failed to get 64-bit system folder., xrefs: 00FF95BA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: DirectoryErrorLastSystem$Wow64_memset
                                            • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$variable.cpp
                                            • API String ID: 3186313095-1590374846
                                            • Opcode ID: 6dfdcb8c73ac368c419f90765ac065a0bb1c40ec205e02dd160e79a7e9a5e4bb
                                            • Instruction ID: 44e4b5eac7aab76a0d81b5e3c6a1f3465013766769cb1ab4c1443e95ee64683d
                                            • Opcode Fuzzy Hash: 6dfdcb8c73ac368c419f90765ac065a0bb1c40ec205e02dd160e79a7e9a5e4bb
                                            • Instruction Fuzzy Hash: AB218C72E0633A67D7325A628C08BBA37DC9F00760F2C4164FE54EB194EEA9CE4097D4
                                            Function 0101620B Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForMultipleObjects.KERNEL32(00000002,00FF1D72,00000000,000000FF,74DF2F60,00000000,00FF1D72,?), ref: 01016234
                                            • GetLastError.KERNEL32 ref: 01016247
                                            • GetExitCodeThread.KERNEL32(?,000000FF), ref: 01016296
                                            • GetLastError.KERNEL32 ref: 010162A4
                                            • ResetEvent.KERNEL32(?), ref: 010162E2
                                            • GetLastError.KERNEL32 ref: 010162EC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                            • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$cabextract.cpp
                                            • API String ID: 2979751695-3400260300
                                            • Opcode ID: b1eb1e785a1cd9d30a01011b9b6045855c28944cfafaccb4bc2e43d601aecab1
                                            • Instruction ID: 49983324df487da19f6525dab19d42407ca80d8162a2e7505fb6acb3c692b518
                                            • Opcode Fuzzy Hash: b1eb1e785a1cd9d30a01011b9b6045855c28944cfafaccb4bc2e43d601aecab1
                                            • Instruction Fuzzy Hash: 2531A271E40606FFD7609F99CD85AEDBBB4AB04300F20457DE281E6054E6BE9A049B01
                                            Function 01016101 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 89synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(0578F685,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12,00000000), ref: 01016122
                                            • GetLastError.KERNEL32(?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12,00000000,?,00FF1E22,02BB4868), ref: 0101612C
                                            • WaitForSingleObject.KERNEL32(F08B8007,000000FF,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12,00000000,?), ref: 0101616C
                                            • GetLastError.KERNEL32(?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12,00000000,?,00FF1E22,02BB4868), ref: 01016176
                                            • CloseHandle.KERNEL32(F08B8007,00000000,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12), ref: 010161C8
                                            • CloseHandle.KERNEL32(0578F685,00000000,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12), ref: 010161D5
                                            • CloseHandle.KERNEL32(004005BE,00000000,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12), ref: 010161E2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                                            • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$cabextract.cpp
                                            • API String ID: 1206859064-226982402
                                            • Opcode ID: 10d2399adbc61e799ee088cececb128667ce9fe1f539417b20c8d0e64834f43f
                                            • Instruction ID: 0350bb640bfa97611f9947f44563e2ee5edc529f1b869985bd7a215cde587841
                                            • Opcode Fuzzy Hash: 10d2399adbc61e799ee088cececb128667ce9fe1f539417b20c8d0e64834f43f
                                            • Instruction Fuzzy Hash: 73318072A00216EBDB309F99CD8499EBBF8BF14310B28497DE2C5E7555D7BAE9008B10
                                            Function 00FF9619 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast_memset$DirectoryNamePathVolumeWindows
                                            • String ID: Failed to get volume path name.$Failed to get windows directory.$Failed to set variant value.$variable.cpp
                                            • API String ID: 2690897267-4026719079
                                            • Opcode ID: a20d92d5a6b8645cc5319007e17584b20ecf9c0ebad31962a2c1bacb221a2a9d
                                            • Instruction ID: e2065ef7190273c6fea2d5867a866940227df8fc5517cff488c36a28a2c59521
                                            • Opcode Fuzzy Hash: a20d92d5a6b8645cc5319007e17584b20ecf9c0ebad31962a2c1bacb221a2a9d
                                            • Instruction Fuzzy Hash: 942102B3E4532E67D730AA618C49FEA335CAF50760F110075FA45FB184EAB8DA4487E8
                                            Function 00FF8F23 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 62libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0102303C: _memset.LIBCMT ref: 01023063
                                              • Part of subcall function 0102303C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01023078
                                              • Part of subcall function 0102303C: LoadLibraryW.KERNELBASE(?,?,00000104,00FF1C3B), ref: 010230C6
                                              • Part of subcall function 0102303C: GetLastError.KERNEL32 ref: 010230D2
                                            • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 00FF8F51
                                            • GetLastError.KERNEL32 ref: 00FF8F5E
                                            • _memset.LIBCMT ref: 00FF8F9C
                                            • FreeLibrary.KERNEL32(00000000), ref: 00FF8FCF
                                            Strings
                                            • Failed to get RtlGetVersion entry point, xrefs: 00FF8F8D
                                            • Failed to load ntdll.dll, xrefs: 00FF8F41
                                            • RtlGetVersion, xrefs: 00FF8F49
                                            • variable.cpp, xrefs: 00FF8F83
                                            • ntdll.dll, xrefs: 00FF8F31
                                            • Failed to get OS version from RtlGetVersion, xrefs: 00FF8FB7
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastLibrary_memset$AddressDirectoryFreeLoadProcSystem
                                            • String ID: Failed to get OS version from RtlGetVersion$Failed to get RtlGetVersion entry point$Failed to load ntdll.dll$RtlGetVersion$ntdll.dll$variable.cpp
                                            • API String ID: 1538852321-2659798697
                                            • Opcode ID: 58662b83c97614996e2775d0647c0c93a1880c326a037deba7d47725fb21b399
                                            • Instruction ID: d07351a663c26db37534a45bc089db9701dd0b927637f1813573a005162ad025
                                            • Opcode Fuzzy Hash: 58662b83c97614996e2775d0647c0c93a1880c326a037deba7d47725fb21b399
                                            • Instruction Fuzzy Hash: E711A971B8430BBFE7215A95CC86BBF76AC9F10794F200029F741E51E5FEB9DA00A614
                                            Function 01004063 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 279COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,00FF1317,00FF1717,00FF1333,00FF16FB,?,00FF139F,00FF1717,00FF15CF,00FF13CF), ref: 010040D8
                                            Strings
                                            • Failed to add dependents ignored from command-line., xrefs: 01004190
                                            • Failed to add self-dependent to ignore dependents., xrefs: 01004160
                                            • Failed to allocate registration action., xrefs: 01004147
                                            • Failed to check for remaining dependents during planning., xrefs: 0100426C
                                            • Failed to add registration action for dependent related bundle., xrefs: 010043A8
                                            • Failed to add registration action for self dependent., xrefs: 01004372
                                            • Failed to create the string dictionary., xrefs: 01004116
                                            • Failed to add dependent bundle provider key to ignore dependents., xrefs: 0100422A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString
                                            • String ID: Failed to add dependent bundle provider key to ignore dependents.$Failed to add dependents ignored from command-line.$Failed to add registration action for dependent related bundle.$Failed to add registration action for self dependent.$Failed to add self-dependent to ignore dependents.$Failed to allocate registration action.$Failed to check for remaining dependents during planning.$Failed to create the string dictionary.
                                            • API String ID: 1825529933-2086987450
                                            • Opcode ID: f21b49e48db0cb9be0da1b205a0738852aa328d10da9ac4eceeca0a35e615dd6
                                            • Instruction ID: 258e7cd32f549c39c09cf06307515890d966e0d7bcf866bf69855517482b95f6
                                            • Opcode Fuzzy Hash: f21b49e48db0cb9be0da1b205a0738852aa328d10da9ac4eceeca0a35e615dd6
                                            • Instruction Fuzzy Hash: 14B16E70A0030AEFEF62DFA5C8819EDBBF5BF04304F508569EB95E6191D331AA50CB95
                                            Function 010220C8 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000040,00000000,00000000,00000000), ref: 0102210F
                                            • GetLastError.KERNEL32 ref: 01022115
                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01022164
                                            • GetLastError.KERNEL32 ref: 0102216A
                                            • GetFullPathNameW.KERNEL32(00000000,00000040,00000000,00000000,00000000,00000040,00000000,00000000,00000000), ref: 0102222B
                                            • GetLastError.KERNEL32 ref: 01022231
                                            • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 01022287
                                            • GetLastError.KERNEL32 ref: 0102228D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$EnvironmentExpandFullNamePathStrings
                                            • String ID: pathutil.cpp
                                            • API String ID: 1547313835-741606033
                                            • Opcode ID: a72cac1fb99a4aaf002057b3115612b0e0faf2417d723c00e1e40a3ba3126521
                                            • Instruction ID: 3f82bb5ebe80725d8f471ba5a96fb14aeb6b038fbf17472eadf8d18692a4aecc
                                            • Opcode Fuzzy Hash: a72cac1fb99a4aaf002057b3115612b0e0faf2417d723c00e1e40a3ba3126521
                                            • Instruction Fuzzy Hash: 3261C976D0023AFBDB219AD4CC44FEE7BA8AF15750F1545B1EA90FB150E336DA049B90
                                            Function 01012294 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFileAttributesW.KERNEL32(?,000000FE,?,00000000,?,?,?,?,?), ref: 0101231E
                                            • GetLastError.KERNEL32(?,?,?,?,?), ref: 01012328
                                            • CopyFileExW.KERNEL32(?,?,01011AB7,?,?,00000000,?,00000000,?,?,?,?,?,00000000,00000000), ref: 0101237F
                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,0101277A,?,00000000,?,00000000,00000001,00000000), ref: 010123B2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLast$AttributesCopy
                                            • String ID: BA aborted copy of payload from: '%ls' to: %ls.$Failed attempt to copy payload from: '%ls' to: %ls.$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$copy
                                            • API String ID: 1969131206-836986073
                                            • Opcode ID: cd2409d02c1d4f0b8b90da81afd08529c5d5157e1fc5217d05c7561c2798a382
                                            • Instruction ID: e34c123e48e9d823ed2c4b68e0ad2d527183dc21b359cf5f0df121ef74c81e2c
                                            • Opcode Fuzzy Hash: cd2409d02c1d4f0b8b90da81afd08529c5d5157e1fc5217d05c7561c2798a382
                                            • Instruction Fuzzy Hash: C6410432740306BBEB205EEACC85EAE3BADBF54700F34C128FA89DA154D779DA009750
                                            Function 01016EA9 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 108fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,000000FF,?,00000000,?,?,?,010179AD,?), ref: 01016EF9
                                            • GetLastError.KERNEL32(?,?,?,010179AD,?,?,000000FF,?,000000FF,00000000,?,00000001,?,?,WiX\Burn,DownloadTimeout), ref: 01016F07
                                            • ReadFile.KERNEL32(00000000,00000008,00000008,00000000,00000000,?,?,?,010179AD,?,?,000000FF,?,000000FF,00000000,?), ref: 01016F5C
                                            • CloseHandle.KERNEL32(000000FF,000000FF), ref: 01016F92
                                            • GetLastError.KERNEL32(?,?,?,010179AD,?,?,000000FF,?,000000FF,00000000,?,00000001,?,?,WiX\Burn,DownloadTimeout), ref: 01016FA1
                                            Strings
                                            • Failed to create resume file: %ls, xrefs: 01016F40
                                            • downloadengine.cpp, xrefs: 01016F31, 01016FCB
                                            • Failed to read resume file: %ls, xrefs: 01016FDA
                                            • Failed to calculate resume path from working path: %ls, xrefs: 01016ED1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLast$CloseCreateHandleRead
                                            • String ID: Failed to calculate resume path from working path: %ls$Failed to create resume file: %ls$Failed to read resume file: %ls$downloadengine.cpp
                                            • API String ID: 3160720760-919322122
                                            • Opcode ID: 0050df99e0b25473a09f8919a269331386f1d32b98ea87567e2bdec982bdce0e
                                            • Instruction ID: 52a3f9a76780afd7e0a593bd11459d3e9d06757425410d0e70645282be05e12a
                                            • Opcode Fuzzy Hash: 0050df99e0b25473a09f8919a269331386f1d32b98ea87567e2bdec982bdce0e
                                            • Instruction Fuzzy Hash: 1C41A47190020AFFDB219F94CC85E9D7FB5FF04310F60856DF698DA194D7BA9A409B11
                                            Function 00FF8C36 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to allocate buffer for escaped string., xrefs: 00FF8C60
                                            • Failed to append escape sequence., xrefs: 00FF8CFD
                                            • []{}, xrefs: 00FF8C73
                                            • Failed to copy string., xrefs: 00FF8CEF
                                            • Failed to format escape sequence., xrefs: 00FF8CF6
                                            • [\%c], xrefs: 00FF8CA8
                                            • Failed to append characters., xrefs: 00FF8CD5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _wcscspnlstrlen
                                            • String ID: Failed to allocate buffer for escaped string.$Failed to append characters.$Failed to append escape sequence.$Failed to copy string.$Failed to format escape sequence.$[\%c]$[]{}
                                            • API String ID: 2089742776-3250950999
                                            • Opcode ID: dc2a537e381f48509a1c67604fe81a3ed72423183380b29a9ddf6c79fb87aed1
                                            • Instruction ID: 33674f46797234c40c38c92f17fdc15b6e356dd08da19f27803800fa6dd6701b
                                            • Opcode Fuzzy Hash: dc2a537e381f48509a1c67604fe81a3ed72423183380b29a9ddf6c79fb87aed1
                                            • Instruction Fuzzy Hash: 6521D833D0232EBBDB126691DC41FFF76AC9F507A0F208155FA81761A4DF749E02A6A0
                                            Function 00FF2AE6 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcessId.KERNEL32(00000000,00FF130D,80070642,?,?,00FF130D), ref: 00FF2AEF
                                            • CloseHandle.KERNEL32(000000FF), ref: 00FF2BA4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCurrentHandleProcess
                                            • String ID: -q -%ls %ls %ls %u$Failed to allocate parameters for elevated process.$Failed to launch elevated child process: %ls$burn.elevated$open$runas
                                            • API String ID: 2391145178-1352204306
                                            • Opcode ID: c25ace7bec42d25a5bb25295585d1bae3abf8ce84ed7d2a4bac5a2bfd87dd9a5
                                            • Instruction ID: 03f25e4d657dc9c4d620c3c9effc52a6a6a5450a6005e04d72364cb9cd020c33
                                            • Opcode Fuzzy Hash: c25ace7bec42d25a5bb25295585d1bae3abf8ce84ed7d2a4bac5a2bfd87dd9a5
                                            • Instruction Fuzzy Hash: F3217A71D0021DFFCF21EF95CD848EEBBB8EF98300B20845AEA95A2220D7755A40AB50
                                            Function 00FF931C Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 74libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(msi,DllGetVersion), ref: 00FF9346
                                            • GetProcAddress.KERNEL32(00000000), ref: 00FF934D
                                            • GetLastError.KERNEL32 ref: 00FF9357
                                            Strings
                                            • msi, xrefs: 00FF9340
                                            • DllGetVersion, xrefs: 00FF933B
                                            • Failed to set variant value., xrefs: 00FF93C4
                                            • Failed to find DllGetVersion entry point in msi.dll., xrefs: 00FF9386
                                            • variable.cpp, xrefs: 00FF937C
                                            • Failed to get msi.dll version info., xrefs: 00FF93A0
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressErrorHandleLastModuleProc
                                            • String ID: DllGetVersion$Failed to find DllGetVersion entry point in msi.dll.$Failed to get msi.dll version info.$Failed to set variant value.$msi$variable.cpp
                                            • API String ID: 4275029093-842451892
                                            • Opcode ID: f917fd34d89853c33212500213ec32bb8ece3edcae1164b812ba3c8afaad6c48
                                            • Instruction ID: 0d422f13273c30b0afb2d5fa15e7875081e5ef80a364e38d788a0e91897b5e35
                                            • Opcode Fuzzy Hash: f917fd34d89853c33212500213ec32bb8ece3edcae1164b812ba3c8afaad6c48
                                            • Instruction Fuzzy Hash: 97112C72A0562AA7D7205ABACC41BBF77ACAF44710F100019FB41E7198D6A8D90453A5
                                            Function 00FFBA4F Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 62libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • LoadLibraryW.KERNEL32(?,?,?,00FF17CA,?,00000000,?,?,00000000,00000000,?,?,?,00FF1E12,?), ref: 00FFBA5C
                                            • GetLastError.KERNEL32(?,00FF17CA,?,00000000,?,?,00000000,00000000,?,?,?,00FF1E12,?), ref: 00FFBA69
                                            • GetProcAddress.KERNEL32(00000000,BootstrapperApplicationCreate), ref: 00FFBAA2
                                            • GetLastError.KERNEL32(?,00FF17CA,?,00000000,?,?,00000000,00000000,?,?,?,00FF1E12,?), ref: 00FFBAAC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$AddressLibraryLoadProc
                                            • String ID: BootstrapperApplicationCreate$Failed to create UX.$Failed to get BootstrapperApplicationCreate entry-point$Failed to load UX DLL.$userexperience.cpp
                                            • API String ID: 1866314245-2276003667
                                            • Opcode ID: 2a100f5c6d80c6a1b0954d1acd515b29d2b5780c987f44b15667ec3ecbe0e134
                                            • Instruction ID: 3bb7cd3a75d2a038c2cec9331ec7c2a5d80fa16942ff83475b9c98f3d60e7b20
                                            • Opcode Fuzzy Hash: 2a100f5c6d80c6a1b0954d1acd515b29d2b5780c987f44b15667ec3ecbe0e134
                                            • Instruction Fuzzy Hash: 3211A732E4073767D3315956CC19F673B889F147A1B150124FE95EA250EB6DDC10A7D4
                                            Function 01002563 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 156COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 01002579
                                            • LeaveCriticalSection.KERNEL32(?), ref: 010026EC
                                            Strings
                                            • UX requested unknown payload with id: %ls, xrefs: 010025C6
                                            • Engine is active, cannot change engine state., xrefs: 01002593
                                            • Failed to set download password., xrefs: 010026A9
                                            • Failed to set download user., xrefs: 01002685
                                            • Failed to set download URL., xrefs: 0100260B
                                            • UX requested unknown container with id: %ls, xrefs: 0100263E
                                            • UX did not provide container or payload id., xrefs: 0100265E
                                            • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 010025DC
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                            • API String ID: 3168844106-2615595102
                                            • Opcode ID: 5550c7818206b786b7524b5c247a22d10cc3231fc3490244313692b94b90a356
                                            • Instruction ID: 5783937193e491de6926ce50d6d59a5b002c50c7ac7f43c180e3c963fb36996c
                                            • Opcode Fuzzy Hash: 5550c7818206b786b7524b5c247a22d10cc3231fc3490244313692b94b90a356
                                            • Instruction Fuzzy Hash: 5341C630A00715EBEB23AF59DC88CABB7EDAF9C250B654445F5C5E7190E2B5ED8087A0
                                            Function 00FFA7DA Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 139COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,000000F9,00000001,00000000,000000F9,00000031,000000F9,00000105,00000000,?,?,?), ref: 00FFA7F8
                                            • LeaveCriticalSection.KERNEL32(00000000), ref: 00FFA929
                                            Strings
                                            • Unsupported variable type., xrefs: 00FFA8F6
                                            • Failed to read variable value as string., xrefs: 00FFA8EA
                                            • Failed to read variable value type., xrefs: 00FFA90B
                                            • Failed to read variable count., xrefs: 00FFA817
                                            • Failed to set variable., xrefs: 00FFA919
                                            • Failed to read variable included flag., xrefs: 00FFA8FD
                                            • Failed to read variable value as number., xrefs: 00FFA912
                                            • Failed to read variable name., xrefs: 00FFA904
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to read variable count.$Failed to read variable included flag.$Failed to read variable name.$Failed to read variable value as number.$Failed to read variable value as string.$Failed to read variable value type.$Failed to set variable.$Unsupported variable type.
                                            • API String ID: 3168844106-1201737872
                                            • Opcode ID: b52c8628e54bf1179bbe343b6e1cd7469e434b24eaf045b7bde15ab6a79e0ef4
                                            • Instruction ID: d3a80eaeb05c5e00225885ce7bc9c002a0a032e3b5b03613a660be237e30be2f
                                            • Opcode Fuzzy Hash: b52c8628e54bf1179bbe343b6e1cd7469e434b24eaf045b7bde15ab6a79e0ef4
                                            • Instruction Fuzzy Hash: 42418472D0021EFFDB229FA4C844EBE7B79EF44750F118121FA44A6164D7B49E01E792
                                            Function 00FF8D2F Relevance: 15.1, APIs: 2, Strings: 8, Instructions: 118COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,?,00FFFBF0,00000001,00000000,?,01013ED5,?,01013ED5,?,?,01013ED5), ref: 00FF8D3A
                                            • LeaveCriticalSection.KERNEL32(?,?,01013ED5,?,?,?,?,00FFFBF0,00000001,00000000,?,01013ED5,?,01013ED5,?,?), ref: 00FF8E5D
                                            Strings
                                            • Unsupported variable type., xrefs: 00FF8E30
                                            • Failed to write variable value type., xrefs: 00FF8E45
                                            • Failed to write variable value as number., xrefs: 00FF8E4C
                                            • Failed to write included flag., xrefs: 00FF8E37
                                            • Failed to write variable value as string., xrefs: 00FF8E24
                                            • Failed to write variable count., xrefs: 00FF8D56
                                            • Failed to write variable name., xrefs: 00FF8E3E
                                            • 0, xrefs: 00FF8E02
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: 0$Failed to write included flag.$Failed to write variable count.$Failed to write variable name.$Failed to write variable value as number.$Failed to write variable value as string.$Failed to write variable value type.$Unsupported variable type.
                                            • API String ID: 3168844106-1107513445
                                            • Opcode ID: cfe5c9da1b8186552d61a0ea354727422ad75198e13bd3737b23c94585139151
                                            • Instruction ID: 010bce2e770c1e468ee18963763c38b6d55e1ace93e2815282389cdcd689f008
                                            • Opcode Fuzzy Hash: cfe5c9da1b8186552d61a0ea354727422ad75198e13bd3737b23c94585139151
                                            • Instruction Fuzzy Hash: 1831803650071EAFCB119EA4CC509BE7B65EF947A07204429FA969B2A0DE31DD12BB10
                                            Function 00FF7D36 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 148COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF7D57
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF7D7C
                                            Strings
                                            • MsiComponentSearch failed: ID '%ls', HRESULT 0x%x, xrefs: 00FF7E6D
                                            • Failed to get component path: %d, xrefs: 00FF7DDF
                                            • Failed to format product code string., xrefs: 00FF7D87
                                            • Failed to set variable., xrefs: 00FF7E5D
                                            • Failed to format component id string., xrefs: 00FF7D62
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Open@16
                                            • String ID: Failed to format component id string.$Failed to format product code string.$Failed to get component path: %d$Failed to set variable.$MsiComponentSearch failed: ID '%ls', HRESULT 0x%x
                                            • API String ID: 3613110473-1671347822
                                            • Opcode ID: c180611622880d0a5c6bbf0248b66946a722dcc383c96f698e7353efaee4be63
                                            • Instruction ID: 7c929217d38b3ff641b5e46a46ae6ddf353ff270b206808589bb2495cd15af04
                                            • Opcode Fuzzy Hash: c180611622880d0a5c6bbf0248b66946a722dcc383c96f698e7353efaee4be63
                                            • Instruction Fuzzy Hash: 4741C076D0831EABCF24BEA48C819BEF67AEF54720B68496BF341E2170D7318D50B611
                                            Function 01000CE5 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 130COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to read action., xrefs: 01000D6D
                                            • Failed to read rollback., xrefs: 01000D8E
                                            • Failed to read package log., xrefs: 01000D4C
                                            • Failed to read package id., xrefs: 01000D2B
                                            • Failed to read StopWusaService., xrefs: 01000DAC
                                            • Failed to execute MSU package., xrefs: 01000DFC
                                            • Failed to find package: %ls, xrefs: 01000DCB
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to execute MSU package.$Failed to find package: %ls$Failed to read StopWusaService.$Failed to read action.$Failed to read package id.$Failed to read package log.$Failed to read rollback.
                                            • API String ID: 2102423945-2413426928
                                            • Opcode ID: 9da27d1fe0496c01c6094e961922c1325e3819525fbfc2e05f84e56234aef789
                                            • Instruction ID: a8d57f23d2adc24a9c84989b5f0200d4be1f410a64b86fd9ac13c56eb241ea6d
                                            • Opcode Fuzzy Hash: 9da27d1fe0496c01c6094e961922c1325e3819525fbfc2e05f84e56234aef789
                                            • Instruction Fuzzy Hash: 54414872C0022DBEEB13EE90DC44DEEBBBCAB54390F110166F991BB094E6715F458BA1
                                            Function 00FF1762 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 123windowthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PeekMessageW.USER32(00000000,00000000,00000400,00000400,00000000), ref: 00FF1789
                                            • GetCurrentThreadId.KERNEL32 ref: 00FF178F
                                            • GetMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FF1816
                                            Strings
                                            • engine.cpp, xrefs: 00FF1862
                                            • Failed to start bootstrapper application., xrefs: 00FF17EB
                                            • Failed to create engine for UX., xrefs: 00FF17A7
                                            • Unexpected return value from message pump., xrefs: 00FF186F
                                            • Failed to load UX., xrefs: 00FF17D1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Message$CurrentPeekThread
                                            • String ID: Failed to create engine for UX.$Failed to load UX.$Failed to start bootstrapper application.$Unexpected return value from message pump.$engine.cpp
                                            • API String ID: 673430819-3216346975
                                            • Opcode ID: 283f2f0b7ddeb4dd8aad04cf0fac8818ce5e7fb32cfa672c6fbb97ac64c95cc2
                                            • Instruction ID: 0a4fac8b6810615e1c96418a592a7bf7920e045294301f45b5291206764b0f29
                                            • Opcode Fuzzy Hash: 283f2f0b7ddeb4dd8aad04cf0fac8818ce5e7fb32cfa672c6fbb97ac64c95cc2
                                            • Instruction Fuzzy Hash: 194171B2900209EFDB20EFA0CC85EBA77B8BF54354F204429F646E72A0D675AE45D720
                                            Function 01017AEE Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 116comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(0103FB30,00000000,00000017,0103FB40,?,00000000,00000000,?,?,?,?,?,?,?,01018157,?), ref: 01017B29
                                            Strings
                                            • Failed to create IBackgroundCopyManager., xrefs: 01017B35
                                            • Failed to create BITS job., xrefs: 01017B5C
                                            • WixBurn, xrefs: 01017B4D
                                            • Failed to set progress timeout., xrefs: 01017BA4
                                            • Failed to set notification flags for BITS job., xrefs: 01017B74
                                            • Failed to set BITS job to foreground., xrefs: 01017BBB
                                            • Failed to set BITS job to low priority., xrefs: 01017B91
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set BITS job to low priority.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                                            • API String ID: 542301482-4242919803
                                            • Opcode ID: df2e84dded9f3f9a16971b5257afa60e0890ff4f49ba6466e8cc24acda32f02d
                                            • Instruction ID: daf76131b0596e9952271c77cdfdaa2e5ac958f35cd1f5127e1db11f65cbeca3
                                            • Opcode Fuzzy Hash: df2e84dded9f3f9a16971b5257afa60e0890ff4f49ba6466e8cc24acda32f02d
                                            • Instruction Fuzzy Hash: D231B9B5E0031AAFDB10DFA4C8D5DEEB7B8BB48204B104569E782EB244D7799C42CB90
                                            Function 00FF37C6 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 92synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,00000000,?,00000000,00000000,00FF1E12,00000000,00000000,?,?), ref: 00FF386E
                                            • GetLastError.KERNEL32(?,?,?,00FF1AC0,?,?,00000000,?,?,00000000,?,?,?,?,?,00000001), ref: 00FF3879
                                            Strings
                                            • Failed to post terminate message to child process., xrefs: 00FF385A
                                            • Failed to post terminate message to child process cache thread., xrefs: 00FF383E
                                            • Failed to write restart to message buffer., xrefs: 00FF3807
                                            • Failed to wait for child process exit., xrefs: 00FF38A8
                                            • pipe.cpp, xrefs: 00FF389E
                                            • Failed to write exit code to message buffer., xrefs: 00FF37EA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastObjectSingleWait
                                            • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$pipe.cpp
                                            • API String ID: 1211598281-2161881128
                                            • Opcode ID: aa8415ab7e7bba790718a607445c77aaa7c21cb2fde5d1deb889ff30f5143c1d
                                            • Instruction ID: fb47c00a47c0ede4b373c6cc2ee53fe876efbc366d4c003208ae83de6e75891b
                                            • Opcode Fuzzy Hash: aa8415ab7e7bba790718a607445c77aaa7c21cb2fde5d1deb889ff30f5143c1d
                                            • Instruction Fuzzy Hash: 6921BC33E0063ABBDF115A95CC85EAE7B68DF00770F210165FA11FA1A1D678DF04A7A4
                                            Function 00FF75B5 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF75CB
                                            • GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,?,00000000,?,00FF8B78,?,?,?,?,?,?), ref: 00FF75E3
                                            • GetLastError.KERNEL32(?,00FF8B78,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00FF75EE
                                            Strings
                                            • search.cpp, xrefs: 00FF761F
                                            • Failed to set variable., xrefs: 00FF7674
                                            • Failed get to file attributes. '%ls', xrefs: 00FF762C
                                            • Failed to format variable string., xrefs: 00FF75D6
                                            • File search: %ls, did not find path: %ls, xrefs: 00FF7641
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileLastOpen@16
                                            • String ID: Failed get to file attributes. '%ls'$Failed to format variable string.$Failed to set variable.$File search: %ls, did not find path: %ls$search.cpp
                                            • API String ID: 1811509786-2053429945
                                            • Opcode ID: 00c61f0fa83f06729452f95efcbba04c9723b8a5237d915daaf7d86a3e28a94a
                                            • Instruction ID: 1d9604e496ccea9384c423d024b2651a46367bb4509d3c1a4b02b19f667f659a
                                            • Opcode Fuzzy Hash: 00c61f0fa83f06729452f95efcbba04c9723b8a5237d915daaf7d86a3e28a94a
                                            • Instruction Fuzzy Hash: AA2129B3D04B3EBADB223A98CC46EBEF625DF107A0F240125FB40E51B0D665DD10B695
                                            Function 00FF9B01 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 53registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00FF9B87
                                              • Part of subcall function 010237DF: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 01023850
                                              • Part of subcall function 010237DF: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 01023889
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: QueryValue$Close
                                            • String ID: +$CommonFilesDir$Failed to ensure path was backslash terminated.$Failed to open Windows folder key.$Failed to read folder path for '%ls'.$ProgramFilesDir$SOFTWARE\Microsoft\Windows\CurrentVersion
                                            • API String ID: 1979452859-3209209246
                                            • Opcode ID: 2972c5048e4f00d4db802019fe48dbac78b9123d368e07e836adf995c7ecc3da
                                            • Instruction ID: fd2fc74868b03e2350e46b62822a55f74a8e594255682eac3d27a059320293ad
                                            • Opcode Fuzzy Hash: 2972c5048e4f00d4db802019fe48dbac78b9123d368e07e836adf995c7ecc3da
                                            • Instruction Fuzzy Hash: 1E01F532A4523DF7CB226655EC05FAEB66CDFE0760F204156FA81BA274C6B48F00E691
                                            Function 01001F06 Relevance: 13.7, APIs: 1, Strings: 8, Instructions: 222sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01001BC4: RegCloseKey.ADVAPI32(?,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001,?,?,?,01001F22,00000000,?,?,?), ref: 01001C51
                                            • Sleep.KERNEL32(000007D0,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 01001FB1
                                            Strings
                                            • Failed to copy log extension to extension., xrefs: 0100210A
                                            • log, xrefs: 01001F60
                                            • Setup, xrefs: 01001F66
                                            • Failed to copy full log path to prefix., xrefs: 01002125
                                            • Failed to copy log path to prefix., xrefs: 010020EB
                                            • Failed to get non-session specific TEMP folder., xrefs: 01002063
                                            • Failed to get current directory., xrefs: 01001F9D
                                            • Failed to open log: %ls, xrefs: 0100202B
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseSleep
                                            • String ID: Failed to copy full log path to prefix.$Failed to copy log extension to extension.$Failed to copy log path to prefix.$Failed to get current directory.$Failed to get non-session specific TEMP folder.$Failed to open log: %ls$Setup$log
                                            • API String ID: 2834455192-2818506709
                                            • Opcode ID: c8325afc927a04a846c49759a9ffcd547484a1389057d4399f6502dbab5de875
                                            • Instruction ID: d9e5d32c0ea9ae66a8e56acdfbcdca2c35b1841a646109e68c6bdc33e7086957
                                            • Opcode Fuzzy Hash: c8325afc927a04a846c49759a9ffcd547484a1389057d4399f6502dbab5de875
                                            • Instruction Fuzzy Hash: B4718F71900216EFEF22EFA4C8849EDBBF9EF20304F10446AFA8197191D7759A94C791
                                            Function 01006393 Relevance: 13.6, APIs: 9, Instructions: 86windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EB), ref: 010063AF
                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 010063E7
                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 010063F4
                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 01006403
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 01006411
                                            • _memset.LIBCMT ref: 01006426
                                            • BeginPaint.USER32(?,?), ref: 01006433
                                            • EndPaint.USER32(?,?), ref: 01006444
                                            • PostQuitMessage.USER32(00000000), ref: 0100644E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Window$Long$PaintProc$BeginMessagePostQuit_memset
                                            • String ID:
                                            • API String ID: 527712210-0
                                            • Opcode ID: d482739d12ace16caf810439f8f0e9bf4c583e88532fa7257220efb7608124e9
                                            • Instruction ID: d2e801148677523ed7d686c26ffe40c2873760cf38e1d0c40ea316cc2e094a68
                                            • Opcode Fuzzy Hash: d482739d12ace16caf810439f8f0e9bf4c583e88532fa7257220efb7608124e9
                                            • Instruction Fuzzy Hash: 5D21F931500108BBEB32DF689D48E7E37BEFB09750F558515FB82D60E5DA3A99108761
                                            Function 010089D5 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 174COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0102209C: lstrlenW.KERNEL32(00000000,00000000,?,010225FD,?,00000000,00000000,?,?,0100783B,?,00000000,00000000,00000000), ref: 010220A4
                                              • Part of subcall function 01025D1F: _memset.LIBCMT ref: 01025D4A
                                              • Part of subcall function 01025D1F: FindFirstFileW.KERNELBASE(00000000,?,00000000,?,80070002), ref: 01025D5A
                                              • Part of subcall function 01025D1F: FindClose.KERNEL32(00000000), ref: 01025D66
                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,?,?,?,?,?,?,?,?,00000000), ref: 01008AF1
                                            Strings
                                            • Failed to get path to current process., xrefs: 01008A74
                                            • WixBundleOriginalSource, xrefs: 01008A37
                                            • WixBundleLastUsedSource, xrefs: 01008A1C
                                            • Failed to copy source path., xrefs: 01008B3F, 01008B66
                                            • Failed to combine last source with source., xrefs: 01008AAD
                                            • Failed to get current process directory., xrefs: 01008A92
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Find$CloseCompareFileFirstString_memsetlstrlen
                                            • String ID: Failed to combine last source with source.$Failed to copy source path.$Failed to get current process directory.$Failed to get path to current process.$WixBundleLastUsedSource$WixBundleOriginalSource
                                            • API String ID: 263632599-10224182
                                            • Opcode ID: 4a79a627f2ae22cb40ddce94820a7c4a295a212e887671a8d7ea70ab5faf8162
                                            • Instruction ID: dd3ab9c728aede408e4b1f16970d012704d6637d03897010f391ecbf7b81fe94
                                            • Opcode Fuzzy Hash: 4a79a627f2ae22cb40ddce94820a7c4a295a212e887671a8d7ea70ab5faf8162
                                            • Instruction Fuzzy Hash: 745133B1D0021AEEEF12EFD4CC808EEBBB5BF08300F54846BE691B6191D7759A90DB51
                                            Function 01017195 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 161networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 010171A8
                                            • GetLastError.KERNEL32(?,?,?,0101747C,00000000,?,00000000,?,00000000,00000000,00000001,?), ref: 010171B2
                                            Strings
                                            • Failed to get HTTP status code for request to URL: %ls, xrefs: 01017345
                                            • Failed to get redirect url: %ls, xrefs: 0101734E
                                            • Failed to get HTTP status code for failed request to URL: %ls, xrefs: 010171EA
                                            • Failed to send request to URL: %ls, trying to process HTTP status code anyway., xrefs: 010171CA
                                            • Unknown HTTP status code %d, returned from URL: %ls, xrefs: 0101724C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHttpLastRequestSend
                                            • String ID: Failed to get HTTP status code for failed request to URL: %ls$Failed to get HTTP status code for request to URL: %ls$Failed to get redirect url: %ls$Failed to send request to URL: %ls, trying to process HTTP status code anyway.$Unknown HTTP status code %d, returned from URL: %ls
                                            • API String ID: 4088757929-2903077892
                                            • Opcode ID: e4498f552050eae77a6810cb2e90676cac0cd9232ab08b695339ffd4db435e4d
                                            • Instruction ID: b3b7b95dd1066fab969c02011ee9eaed068ec047f17bcdb10cf57049a92bd1fc
                                            • Opcode Fuzzy Hash: e4498f552050eae77a6810cb2e90676cac0cd9232ab08b695339ffd4db435e4d
                                            • Instruction Fuzzy Hash: 4041FB71910527A7EB364AACCC05FFE3A98EB14354F1882A5FDC1EB25CE26C8D4183D5
                                            Function 0101FDC7 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 122COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,01047E3C), ref: 0101FE0B
                                            • _memset.LIBCMT ref: 0101FE23
                                            • GetComputerNameW.KERNEL32(?,?), ref: 0101FE63
                                            Strings
                                            • === Logging started: %ls ===, xrefs: 0101FE8C
                                            • Executable: %ls v%d.%d.%d.%d, xrefs: 0101FEBD
                                            • --- logging level: %hs ---, xrefs: 0101FF19
                                            • Computer : %ls, xrefs: 0101FECF
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Name$ComputerFileModule_memset
                                            • String ID: --- logging level: %hs ---$=== Logging started: %ls ===$Computer : %ls$Executable: %ls v%d.%d.%d.%d
                                            • API String ID: 1941974936-3153207428
                                            • Opcode ID: ba2461b6036eae44ba0e356a91df09d2c2bd32718b247dc8ce48f1b2c82dceac
                                            • Instruction ID: 09773ee57be03bd01d7de56137a6c31827543039bb9fd1399c4388c24952f357
                                            • Opcode Fuzzy Hash: ba2461b6036eae44ba0e356a91df09d2c2bd32718b247dc8ce48f1b2c82dceac
                                            • Instruction Fuzzy Hash: CE4194F190011E9BDB21DF54DD80AEA77FCEF05200F8040AAF6C5E7146E6399A89CFA4
                                            Function 00FF5693 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 120registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,00000000,00000001,?,000000F9,00000001,?,00000105,00000000,?,?), ref: 00FF57AB
                                            • RegCloseKey.ADVAPI32(?,?,?,00000001,?,?,00000000,00000001,?,000000F9,00000001,?,00000105,00000000,?,?), ref: 00FF57B8
                                            Strings
                                            • %ls.RebootRequired, xrefs: 00FF56A7
                                            • Failed to open registration key., xrefs: 00FF571B
                                            • Resume, xrefs: 00FF5726
                                            • Failed to format pending restart registry key to read., xrefs: 00FF56C7
                                            • Failed to read Resume value., xrefs: 00FF5746
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Close
                                            • String ID: %ls.RebootRequired$Failed to format pending restart registry key to read.$Failed to open registration key.$Failed to read Resume value.$Resume
                                            • API String ID: 3535843008-3890505273
                                            • Opcode ID: d1391634faac6ffd3f9b70c5b7eae666d3d2c7e53a9e2fd6817e3cf42104c39e
                                            • Instruction ID: 46baad20359a1635b1221df444ea75402bc097364d5bc388c0a04b99165e6d77
                                            • Opcode Fuzzy Hash: d1391634faac6ffd3f9b70c5b7eae666d3d2c7e53a9e2fd6817e3cf42104c39e
                                            • Instruction Fuzzy Hash: FB416377900A1DEFCB11AF94C8C0ABEB7B5FF44720F61806AEB559B221D6749D01EB20
                                            Function 01009974 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,?,7FFFFFFF,?,?,7FFFFFFF,?,00000000,?,00000000), ref: 010099F5
                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,01012AA7,000000FF,01012AA7,WixBundleLastUsedSource,01012AA7,?,?,?,?,?,01012AA7,?), ref: 01009A3C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString
                                            • String ID: Failed to determine length of relative path.$Failed to determine length of source path.$Failed to set last source.$Failed to trim source folder.$WixBundleLastUsedSource
                                            • API String ID: 1825529933-660234312
                                            • Opcode ID: dd965ba2bd81616066b3c41e7eb8b941e9f58b07dfdc85187345f6cdfb6df634
                                            • Instruction ID: 3179e72055c677b674dbbedbcdf5c4f8da70870ae112a7ef146894a7336567ab
                                            • Opcode Fuzzy Hash: dd965ba2bd81616066b3c41e7eb8b941e9f58b07dfdc85187345f6cdfb6df634
                                            • Instruction Fuzzy Hash: 2631D17190421ABBEF02DF99CC45EEEBBB9AB81324F208256F568E61D1D770D640CB90
                                            Function 00FFF55D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to read installed ProductCode from message buffer., xrefs: 00FFF5EA
                                            • Failed to read package id from message buffer., xrefs: 00FFF59C
                                            • Failed to copy installed ProductCode., xrefs: 00FFF629
                                            • Failed to find package: %ls, xrefs: 00FFF5BE
                                            • Failed to load compatible package., xrefs: 00FFF65A
                                            • Failed to read installed version from message buffer., xrefs: 00FFF60A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to copy installed ProductCode.$Failed to find package: %ls$Failed to load compatible package.$Failed to read installed ProductCode from message buffer.$Failed to read installed version from message buffer.$Failed to read package id from message buffer.
                                            • API String ID: 2102423945-2628348887
                                            • Opcode ID: 55bf3385c481d1a9e2229cc3d882806becd26289553e706f0fcf5a66a0e6bacd
                                            • Instruction ID: 4f62b632c8cf85e09bbe3d6e41b52a7a2a5e0eb82603df0a34e13c707039ad7b
                                            • Opcode Fuzzy Hash: 55bf3385c481d1a9e2229cc3d882806becd26289553e706f0fcf5a66a0e6bacd
                                            • Instruction Fuzzy Hash: 90315E3290012CBFCF11EFA4DC80DEEBBB9AF68750F144165F954FB120EA315A55AB50
                                            Function 00FF3D1B Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 93fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FF4D26: CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,?,000000FF,00000000,00000000,?,?,?,00FFF15B,?,?,?,?), ref: 00FF4D4B
                                            • CreateFileW.KERNEL32(00FF222A,80000000,00000005,00000000,00000003,08000000,00000000,00FF222A,E8530674,00000000,00FF1E8E,33FF50BC,00FF1F0E,00FF1AAE,00FF1E22,00000000), ref: 00FF3D83
                                              • Part of subcall function 01008E97: _memset.LIBCMT ref: 01008EF1
                                            • GetLastError.KERNEL32 ref: 00FF3DCC
                                            Strings
                                            • catalog.cpp, xrefs: 00FF3DEE
                                            • Failed to find payload for catalog file., xrefs: 00FF3DB6
                                            • Failed to get catalog local file path, xrefs: 00FF3DBD
                                            • Failed to open catalog in working path: %ls, xrefs: 00FF3DFB
                                            • Failed to verify catalog signature: %ls, xrefs: 00FF3E05
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareCreateErrorFileLastString_memset
                                            • String ID: Failed to find payload for catalog file.$Failed to get catalog local file path$Failed to open catalog in working path: %ls$Failed to verify catalog signature: %ls$catalog.cpp
                                            • API String ID: 3205693548-48089280
                                            • Opcode ID: 49f46befff2d344072c7acd0f2d2abd789b4b075c5db3cb635cc4494ec2d2237
                                            • Instruction ID: b06275c291d10cefc71c4802f797894dae4cda95756db1c54a76083318dd4851
                                            • Opcode Fuzzy Hash: 49f46befff2d344072c7acd0f2d2abd789b4b075c5db3cb635cc4494ec2d2237
                                            • Instruction Fuzzy Hash: E131E53690061EBFDB219F55CC41FAEBBB5BF80760F314059FA55AB2A0D771EA05AB00
                                            Function 01014F97 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 91synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF,74DF30B0,?,00000000), ref: 01014FB5
                                            • ReleaseMutex.KERNEL32(?), ref: 01014FD5
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01015017
                                            • ReleaseMutex.KERNEL32(?), ref: 0101502A
                                            • SetEvent.KERNEL32(?), ref: 01015033
                                            Strings
                                            • Failed to send files in use message from netfx chainer., xrefs: 01015074
                                            • Failed to get message from netfx chainer., xrefs: 0101504E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: MutexObjectReleaseSingleWait$Event
                                            • String ID: Failed to get message from netfx chainer.$Failed to send files in use message from netfx chainer.
                                            • API String ID: 2608678126-3424578679
                                            • Opcode ID: 5818fda8f3507a31444b51a451eae6ba4fe45995799495f33b068c700113cfe9
                                            • Instruction ID: 94b4f636e3841e069fee30675088c923139b008da348758106956e7b73a5c82d
                                            • Opcode Fuzzy Hash: 5818fda8f3507a31444b51a451eae6ba4fe45995799495f33b068c700113cfe9
                                            • Instruction Fuzzy Hash: 3D310631900205AFCF228BA9CC44EEDBBF5FF84320F148669F495A61A1DB39D545CB50
                                            Function 00FF74E5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF74FA
                                            • GetFileAttributesW.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,?,00FF8B89,?,?,?), ref: 00FF750F
                                            • GetLastError.KERNEL32(?,00FF8B89,?,?,?), ref: 00FF751A
                                            Strings
                                            • Directory search: %ls, did not find path: %ls, reason: 0x%x, xrefs: 00FF758F
                                            • Failed to set directory search path variable., xrefs: 00FF754C
                                            • Failed while searching directory search: %ls, for path: %ls, xrefs: 00FF7579
                                            • Failed to format variable string., xrefs: 00FF7505
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileLastOpen@16
                                            • String ID: Directory search: %ls, did not find path: %ls, reason: 0x%x$Failed to format variable string.$Failed to set directory search path variable.$Failed while searching directory search: %ls, for path: %ls
                                            • API String ID: 1811509786-2966038646
                                            • Opcode ID: d474c580fbd2b2b12073f6bd0434d8700ba86c42aa9f862e3824ba1abde45af4
                                            • Instruction ID: 568d0cc1035da51e42532d769db25ce3d7115f21c7dd1eb5b536c66e54dfd84d
                                            • Opcode Fuzzy Hash: d474c580fbd2b2b12073f6bd0434d8700ba86c42aa9f862e3824ba1abde45af4
                                            • Instruction Fuzzy Hash: 2F21C272D4432ABBDB227694CD02BBEBA259F00760F2C0164FA04A51B0E7799E10B6C5
                                            Function 00FF7747 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF775C
                                            • GetFileAttributesW.KERNEL32(00000000,?,?,00000000,00000000,?,00000000,?,00FF8B66,?,?,?), ref: 00FF7771
                                            • GetLastError.KERNEL32(?,00FF8B66,?,?,?), ref: 00FF777C
                                            Strings
                                            • Failed to set variable to file search path., xrefs: 00FF77D5
                                            • Failed while searching file search: %ls, for path: %ls, xrefs: 00FF77AB
                                            • Failed to format variable string., xrefs: 00FF7767
                                            • File search: %ls, did not find path: %ls, xrefs: 00FF77E9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileLastOpen@16
                                            • String ID: Failed to format variable string.$Failed to set variable to file search path.$Failed while searching file search: %ls, for path: %ls$File search: %ls, did not find path: %ls
                                            • API String ID: 1811509786-3425311760
                                            • Opcode ID: 74ec1e8a072af03d19d396b93407ef2df36a3c3dd71918e8052f2867911bce2e
                                            • Instruction ID: 3c65ab6dbf0ebbdc22dda1a659f6154bd43683af01df72fdb362a7399120428b
                                            • Opcode Fuzzy Hash: 74ec1e8a072af03d19d396b93407ef2df36a3c3dd71918e8052f2867911bce2e
                                            • Instruction Fuzzy Hash: A311C333D5433BBADB227A648D02FBDBA35AF10361F314151FA00A51B0D7699E50B7D1
                                            Function 010078D8 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 010078FC
                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?), ref: 01007910
                                            • GetLastError.KERNEL32(?,?,?), ref: 0100791A
                                            Strings
                                            • cache.cpp, xrefs: 0100793F
                                            • Failed to append bundle id on to temp path for working folder., xrefs: 0100796C
                                            • %ls%ls\, xrefs: 01007958
                                            • Failed to get temp path for working folder., xrefs: 01007949
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastPathTemp_memset
                                            • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to get temp path for working folder.$cache.cpp
                                            • API String ID: 623060366-3390808230
                                            • Opcode ID: 351358b07de5e5b43c2330ba34a4c7df73ee772dce25c4ec5679e94ef3d98352
                                            • Instruction ID: b3c7c5ded40c8b5b9434c68786fd12721ba93eff97dd5f688019c05b744875fa
                                            • Opcode Fuzzy Hash: 351358b07de5e5b43c2330ba34a4c7df73ee772dce25c4ec5679e94ef3d98352
                                            • Instruction Fuzzy Hash: 3601FEB5A413366BE731A6659C45FEB37DC9B00710F1401A9FDC4EB1C1EA6DAE0047D5
                                            Function 00FFC1E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 51synchronizationthreadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(00000001,000000FF,?,?,00FFC692,?,00FF138B,00000000,?,00FF13BB,00000001), ref: 00FFC1F6
                                            • GetLastError.KERNEL32(?,?,00FFC692,?,00FF138B,00000000,?,00FF13BB,00000001), ref: 00FFC200
                                            • GetExitCodeThread.KERNEL32(00000001,00000000,?,?,00FFC692,?,00FF138B,00000000,?,00FF13BB,00000001), ref: 00FFC242
                                            • GetLastError.KERNEL32(?,?,00FFC692,?,00FF138B,00000000,?,00FF13BB,00000001), ref: 00FFC24C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CodeExitObjectSingleThreadWait
                                            • String ID: Failed to get cache thread exit code.$Failed to wait for cache thread to terminate.$core.cpp
                                            • API String ID: 3686190907-2546940223
                                            • Opcode ID: 995477b777adc7c7334b35b8f66d12da720ff8919a6a909658b67f17aeada45a
                                            • Instruction ID: 043307b3e1d7a054c66083e9724890185e2b82b27a789b06acda33e2602179f7
                                            • Opcode Fuzzy Hash: 995477b777adc7c7334b35b8f66d12da720ff8919a6a909658b67f17aeada45a
                                            • Instruction Fuzzy Hash: 65112E71A4421EFAEB309FE1DE05BAE7A78EF00750F204168E550E51A5DB79CB00BB58
                                            Function 00FF5EC7 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 105stringCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010225A1: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,01007AE2,0000001C,00000000,00000000,00000000,00000000), ref: 010225C2
                                            • lstrlenA.KERNEL32(E90102F2,00000000,00FF13BB,00000000,00FF13BB,00FF7089,00FF7089,?,0C683C79,00FF13BB,00FF706D,?,UninstallString,00FF13BB), ref: 00FF5F63
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FolderPathlstrlen
                                            • String ID: Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to find local %hs appdata directory.$Failed to write tag xml to file: %ls$UninstallString$per-machine$per-user
                                            • API String ID: 3664928333-3308940114
                                            • Opcode ID: 0df2a202fdb4931074d3ddb217f3a131064e0cb45233ac0e10fff327bb891f39
                                            • Instruction ID: e83db49aad097e1be24dc2300d97f7ee6c4cf212959ec24b84c1c7aa720c6f16
                                            • Opcode Fuzzy Hash: 0df2a202fdb4931074d3ddb217f3a131064e0cb45233ac0e10fff327bb891f39
                                            • Instruction Fuzzy Hash: 2B316372C40A2EFBCF119F94CC409ADBBB5FF54B10F2080A5FB84A6164D7319A51AB90
                                            Function 010123FE Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 164COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFileAttributesW.KERNEL32(?,000000FE,?,00000000,?,?,?,00000000,?,00000000), ref: 010124C0
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 010124CA
                                            Strings
                                            • Failed to clear readonly bit on payload destination path: %ls, xrefs: 010124FA
                                            • apply.cpp, xrefs: 010124EF
                                            • download, xrefs: 0101248B
                                            • Failed attempt to download URL: '%ls' to: '%ls', xrefs: 0101258F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileLast
                                            • String ID: Failed attempt to download URL: '%ls' to: '%ls'$Failed to clear readonly bit on payload destination path: %ls$apply.cpp$download
                                            • API String ID: 1799206407-2688335605
                                            • Opcode ID: 9e212cc079fe0d9b8a577fbc7aebcd91f6b6d458f2daae90fce5acc2e4348528
                                            • Instruction ID: 42048c022bf00d289bce410789fe1dd9ccabb7cae128e474260f6f261f048f8d
                                            • Opcode Fuzzy Hash: 9e212cc079fe0d9b8a577fbc7aebcd91f6b6d458f2daae90fce5acc2e4348528
                                            • Instruction Fuzzy Hash: 2E51D631A40216EFDB21DF99CC40EAEBBF4FF04710F644099F585AA155D739DA81CB50
                                            Function 00FF7EAB Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 133COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to get version for product in machine context: %ls, xrefs: 00FF7FD4
                                            • Failed to enum related products., xrefs: 00FF7FC1
                                            • Failed to convert version: %ls to DWORD64 for ProductCode: %ls, xrefs: 00FF7FEB
                                            • Failed to get version for product in user unmanaged context: %ls, xrefs: 00FF7F41
                                            • VersionString, xrefs: 00FF7F16, 00FF7F4F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to convert version: %ls to DWORD64 for ProductCode: %ls$Failed to enum related products.$Failed to get version for product in machine context: %ls$Failed to get version for product in user unmanaged context: %ls$VersionString
                                            • API String ID: 2102423945-1979147598
                                            • Opcode ID: 6dc6fedcc00cc2cbcfd4e948c630215cca63552daac48b98098329c8b373acc9
                                            • Instruction ID: 1ee16976e3ae14cbec065e63fbfc2e5f692a1e9ecff2a60001d781e09f8678e1
                                            • Opcode Fuzzy Hash: 6dc6fedcc00cc2cbcfd4e948c630215cca63552daac48b98098329c8b373acc9
                                            • Instruction Fuzzy Hash: 91415E72D0436DAFDB20FED9CC808FDF7B9AF04350B20412AEA55EB164D6359E449B91
                                            Function 0100969C Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 126sleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Sleep.KERNEL32(000007D0,?,00000000,00000000,?), ref: 01009719
                                              • Part of subcall function 01026CB2: _memset.LIBCMT ref: 01026D27
                                              • Part of subcall function 01026CB2: _memset.LIBCMT ref: 01026D35
                                              • Part of subcall function 01026CB2: GetFileAttributesW.KERNELBASE(?,?,?,?,00000000,?,00000000), ref: 01026D3E
                                              • Part of subcall function 01026CB2: GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 01026D59
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset$AttributesErrorFileLastSleep
                                            • String ID: Failed to calculate cache path.$Failed to ensure cache directory to remove was backslash terminated.$Failed to get %hs package cache root directory.$Failed to get old %hs package cache root directory.$per-machine$per-user
                                            • API String ID: 6426718-1559687374
                                            • Opcode ID: 442e2cc4e9494247d8c2e2cfd541dc7da3fd8f3e72ba9f77354bdf46c8bed4b9
                                            • Instruction ID: e64d81e4e5793ce0ab3bcfb092bda5c10a0c624b4a45b72709e82b060e83096f
                                            • Opcode Fuzzy Hash: 442e2cc4e9494247d8c2e2cfd541dc7da3fd8f3e72ba9f77354bdf46c8bed4b9
                                            • Instruction Fuzzy Hash: 8D316873D40124FAFF23AA68CC81DFEBAACFB54614F240066F9CDB6192E2354E409391
                                            Function 010118C1 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 123COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 010118D2
                                              • Part of subcall function 0102202C: GetModuleFileNameW.KERNEL32(00FF213E,?,00000104,?,00000104,?,00000000,?,?,00FF213E,?,00000000,?,?,?,76EEC3F0), ref: 0102204D
                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?), ref: 0101194D
                                              • Part of subcall function 0102232A: CompareStringW.KERNEL32(00000000,00000001,00000000,000000FF,00000000,000000FF,00000000,00000000,00000003,00000000,00000000,00000003,00000000,00000000), ref: 0102236E
                                            Strings
                                            • Failed to skip the extraction of payload: %ls from container: %ls, xrefs: 010119F4
                                            • Failed to extract all payloads from container: %ls, xrefs: 01011998
                                            • Failed to extract payload: %ls from container: %ls, xrefs: 010119E8
                                            • Failed to open container: %ls., xrefs: 0101192B
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString$FileModuleName_memset
                                            • String ID: Failed to extract all payloads from container: %ls$Failed to extract payload: %ls from container: %ls$Failed to open container: %ls.$Failed to skip the extraction of payload: %ls from container: %ls
                                            • API String ID: 3323778125-3891707333
                                            • Opcode ID: 6b039e53f2b3228ebb449764f985b512347832bf78f35d487dfe0d38409e9dc5
                                            • Instruction ID: f81cacbc904da47a5c1cb328edf35519eabfcd0d9edcc93d81927405f402db59
                                            • Opcode Fuzzy Hash: 6b039e53f2b3228ebb449764f985b512347832bf78f35d487dfe0d38409e9dc5
                                            • Instruction Fuzzy Hash: AC416332C00219FBCF11EAE4CD44DDEBBBAAF55250B144251FAE4A7158E6399B50CB91
                                            Function 01022436 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 123COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNEL32(00FF2142,00000000,?,?,?,?,00FF1E8E,00FF2222), ref: 010224CE
                                            • GetLastError.KERNEL32(?,?,?,?,00FF1E8E,00FF2222), ref: 010224DC
                                            • GetTempPathW.KERNEL32(00000104,00000000,00000000,00000104,00000000,00000000,00FF1E22,?,?,?,00FFB793,00000000,.ba%d,000F423F,00FF1E8E,00FF2222), ref: 01022512
                                            • GetLastError.KERNEL32(?,?,?,00FFB793,00000000,.ba%d,000F423F,00FF1E8E,00FF2222,00000000,00FF1D56,?,?,00FFD927,02BB4868,00FF1E22), ref: 01022520
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CreateDirectoryPathTemp
                                            • String ID: %s%s$pathutil.cpp
                                            • API String ID: 2804724334-3961969462
                                            • Opcode ID: 79fc865ceb5e6f05a437a685545d01d455606faa66e20443e9e0f9c62d18053b
                                            • Instruction ID: d7931561d3c2c338a46f8120388841e6b79eb808e807d76dc8f564d6733a03a9
                                            • Opcode Fuzzy Hash: 79fc865ceb5e6f05a437a685545d01d455606faa66e20443e9e0f9c62d18053b
                                            • Instruction Fuzzy Hash: 7B31E972D40136E7DB31AEE88C84ADEBEE8AF14250F1585B5FAC2E7010D6758E409B91
                                            Function 01020D26 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 120COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,0000FDE9), ref: 01020D77
                                            • GetLastError.KERNEL32 ref: 01020D7D
                                              • Part of subcall function 0102293A: GetProcessHeap.KERNEL32(00000000,?,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 01022942
                                              • Part of subcall function 0102293A: HeapSize.KERNEL32(00000000,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000,?), ref: 01022949
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                            • String ID: W$strutil.cpp
                                            • API String ID: 3662877508-3697633219
                                            • Opcode ID: 4f695f33933f88d2d4b773272fe38e31c0ba08ca2b0d36f3a7879f22e1b0aa87
                                            • Instruction ID: 124beaab26a55185810c3a10ae04c8aa07ffc008480316edddbb6f428a5360f6
                                            • Opcode Fuzzy Hash: 4f695f33933f88d2d4b773272fe38e31c0ba08ca2b0d36f3a7879f22e1b0aa87
                                            • Instruction Fuzzy Hash: FA4193B1A0032AFFDF11EF98CCC09AE7BB9EB04314F204569F595E7184D6759E809B50
                                            Function 0101FF4B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 118fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(01047E3C,00000001,00000000,00000001,?,?,0100208C,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup), ref: 0101FF5D
                                            • CreateFileW.KERNEL32(40000000,00000001,00000000,?,00000080,00000000,?,00000000,?,?,00000000,01047E34,?,?,0100208C,00000001), ref: 0101FFFE
                                            • GetLastError.KERNEL32(?,?,0100208C,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup,00000000,log,0000000D,00000000), ref: 0102000E
                                            • SetFilePointer.KERNEL32(00000000,00000000,00000002,?,?,0100208C,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup,00000000), ref: 01020049
                                              • Part of subcall function 0102263E: _memset.LIBCMT ref: 0102268D
                                              • Part of subcall function 0102263E: GetLocalTime.KERNEL32(?,?,?,?,00000000,?), ref: 0102277F
                                            • LeaveCriticalSection.KERNEL32(01047E3C,?,00000000,01047E34,?,?,0100208C,00000001,?,00000000,?,00000000,00000000,0000000D,00000000,Setup), ref: 0102009E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalFileSection$CreateEnterErrorLastLeaveLocalPointerTime_memset
                                            • String ID: logutil.cpp
                                            • API String ID: 654766419-3545173039
                                            • Opcode ID: 85715b8eca09a7de76acb9de1ea31d72deb36c39b48be04e4e9073bc8a6691b2
                                            • Instruction ID: 72cd2cdeb74acd439de6845b2e5eb9dbd131c4281dd79501a68fd0d24590f07e
                                            • Opcode Fuzzy Hash: 85715b8eca09a7de76acb9de1ea31d72deb36c39b48be04e4e9073bc8a6691b2
                                            • Instruction Fuzzy Hash: 4C31CE71501239ABEB326F66CCC8DAE7F66AB16B50F644461F9C497018CB7A8C40CBE0
                                            Function 010070CC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,0000000E,?,00000000,00000002,?,010072FF,0000000E,?,?,?,?), ref: 010070E9
                                            • lstrlenW.KERNEL32(?,?,010072FF,0000000E,?,?,?,?), ref: 010070F0
                                            • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,010072FF,0000000E,?,?,?,?), ref: 01007137
                                            • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,010072FF,0000000E,?,?,?,?), ref: 01007190
                                            • CompareStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,?,010072FF,0000000E,?,?,?,?), ref: 010071C1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString$lstrlen
                                            • String ID: W
                                            • API String ID: 1657112622-655174618
                                            • Opcode ID: 888ef7d733672f3205cb316e8ec5c59f32ade66882b56c81f5a326ee767d15c8
                                            • Instruction ID: 66605fd7b34bf419f0eae66eecfe9f7f77c78e047d4fda9d5f3d772626d7a0f5
                                            • Opcode Fuzzy Hash: 888ef7d733672f3205cb316e8ec5c59f32ade66882b56c81f5a326ee767d15c8
                                            • Instruction Fuzzy Hash: 18317C32500249BBEF628F5CCC44EEF3BAAEB89350F208455F9C5DB1D0D279A990CB61
                                            Function 00FFF9D3 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(00000000,8900011A,00FF17A1,00000001,?,00FF17A1,00000001,000000FF,00FF17A1,00FF17A5,00000000,00FF13C5,00000001,00000000,?,00FFBD45), ref: 00FFFAE3
                                            Strings
                                            • Failed to create pipe and cache pipe., xrefs: 00FFFA59
                                            • Failed to elevate., xrefs: 00FFFACC
                                            • elevation.cpp, xrefs: 00FFFA07
                                            • UX aborted elevation requirement., xrefs: 00FFFA11
                                            • Failed to connect to elevated child process., xrefs: 00FFFAC1
                                            • Failed to create pipe name and client token., xrefs: 00FFFA3D
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$elevation.cpp
                                            • API String ID: 2962429428-3003415917
                                            • Opcode ID: c64b6bb26c735f268b4e52ed83cbd65a0a6dbd6676899147e39d9bce556f71c5
                                            • Instruction ID: a84fa81984c58c75419eb4dfee4f4d5d10cb64879eb93dc5c5f0adb95697d4f7
                                            • Opcode Fuzzy Hash: c64b6bb26c735f268b4e52ed83cbd65a0a6dbd6676899147e39d9bce556f71c5
                                            • Instruction Fuzzy Hash: 27319472540709BAD712A764CC41FBB32ADDFC0760F204439F75EEB1A1EA7DD945A224
                                            Function 01020358 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CheckTokenMembership.ADVAPI32(?,?,?,?,?,?,010204A2,?,?,76EEC3F0,?,00000000), ref: 0102039E
                                            • GetLastError.KERNEL32(?,?,?,010204A2,?,?,76EEC3F0,?,00000000), ref: 010203AC
                                            • AllocateAndInitializeSid.ADVAPI32(01020496,EC83EC8B,FFFFFEB6,5FFC4D8B,5BCD335E,FF809BE8,04C2C9FF,EC8B5500,FC5D89F6,FFF45D89,?,?,?), ref: 010203FF
                                            • GetLastError.KERNEL32(?,?,?,010204A2,?,?,76EEC3F0,?,00000000), ref: 01020409
                                            • FreeSid.ADVAPI32(?,?,?,?,010204A2,?,?,76EEC3F0,?,00000000), ref: 0102043F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$AllocateCheckFreeInitializeMembershipToken
                                            • String ID: aclutil.cpp
                                            • API String ID: 1125035699-2159165307
                                            • Opcode ID: 7fe60ea0c93ee5cc7cfee5b1b17122a48a41e32b2601c7d6ead4c861f134a2cb
                                            • Instruction ID: 323b03feafa427f0540fadecf970f4bd34133cc0f64abc7bdaba88255ce4a094
                                            • Opcode Fuzzy Hash: 7fe60ea0c93ee5cc7cfee5b1b17122a48a41e32b2601c7d6ead4c861f134a2cb
                                            • Instruction Fuzzy Hash: 06210472900224FFDB329F98CC48DAEBFA9EF04350F2585A5F585EB025E239CA40DB50
                                            Function 01025A1A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 01025A30
                                            • SysAllocString.OLEAUT32(?), ref: 01025A4C
                                            • VariantClear.OLEAUT32(?), ref: 01025AD3
                                            • SysFreeString.OLEAUT32(00000000), ref: 01025ADE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: StringVariant$AllocClearFreeInit
                                            • String ID: `<u$xmlutil.cpp
                                            • API String ID: 760788290-3482516102
                                            • Opcode ID: 5c9f57a92dccfea33549cd2b6a5086139aa5f40f56d6f3a623768f3d34e5e360
                                            • Instruction ID: cd3b4e20fbddd8f7bbea4f0d43a515c6ec89d6af581e223ea71ac32dc4d71798
                                            • Opcode Fuzzy Hash: 5c9f57a92dccfea33549cd2b6a5086139aa5f40f56d6f3a623768f3d34e5e360
                                            • Instruction Fuzzy Hash: D0214171A00329AFDB10DFE4CC89AEE7BB9AF48715F1544A4EE81EB204E735DD018B94
                                            Function 01015FBE Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 75fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • cabextract.cpp, xrefs: 0101605A
                                            • Failed to write during cabinet extraction., xrefs: 01016064
                                            • Unexpected call to CabWrite()., xrefs: 01015FED
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite_memcpy_s
                                            • String ID: Failed to write during cabinet extraction.$Unexpected call to CabWrite().$cabextract.cpp
                                            • API String ID: 1970631241-3111339858
                                            • Opcode ID: 0fab215f1a00b06b880dd3f1a3c44ad76997b2d5a1589e312db46d523f5319d5
                                            • Instruction ID: e47f7087f2e9315e3cf09094c27268d7a349b8d07f11b4744c8e2a81517be3d1
                                            • Opcode Fuzzy Hash: 0fab215f1a00b06b880dd3f1a3c44ad76997b2d5a1589e312db46d523f5319d5
                                            • Instruction Fuzzy Hash: F721D436600606EFDB21CF6DDC80E6A77F8EB84724B14016DFA95C7644DB7AE9008B24
                                            Function 01015EF1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74timeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 01015F52
                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 01015F64
                                            • SetFileTime.KERNEL32(?,?,?,?), ref: 01015F77
                                            • CloseHandle.KERNEL32(?), ref: 01015F86
                                            Strings
                                            • cabextract.cpp, xrefs: 01015F22
                                            • Invalid operation for this state., xrefs: 01015F2E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Time$File$CloseDateHandleLocal
                                            • String ID: Invalid operation for this state.$cabextract.cpp
                                            • API String ID: 609741386-1751360545
                                            • Opcode ID: 3c9a8feac8165d2f87a0dce41a7e66fe45e99cbbce63eaf6cb927363ae93942e
                                            • Instruction ID: 868db0f5b72b56d7f6c45cc3f17c6f7ca9c7e10ea4eb898cf9ce3bcba5765f96
                                            • Opcode Fuzzy Hash: 3c9a8feac8165d2f87a0dce41a7e66fe45e99cbbce63eaf6cb927363ae93942e
                                            • Instruction Fuzzy Hash: 0511E971510B05AFA7609FBCCC499BBB7FCFB45204750096EF691DA098D779E905C720
                                            Function 00FF7423 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF743D
                                            • GetFileAttributesW.KERNEL32(?,?,?,?,00000000,?,?,00000000,00000000,?,00FF8B91,?,?,?,?,?), ref: 00FF7452
                                            • GetLastError.KERNEL32(?,00FF8B91,?,?,?,?,?,?,?,?,00000001,00000000), ref: 00FF745D
                                            Strings
                                            • Failed to set variable., xrefs: 00FF74C3
                                            • Failed while searching directory search: %ls, for path: %ls, xrefs: 00FF749B
                                            • Failed to format variable string., xrefs: 00FF7448
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AttributesErrorFileLastOpen@16
                                            • String ID: Failed to format variable string.$Failed to set variable.$Failed while searching directory search: %ls, for path: %ls
                                            • API String ID: 1811509786-402580132
                                            • Opcode ID: fd3ed8f0339f018de5d142e703cbfe8aeec899f9662b922619233eb7dca0b218
                                            • Instruction ID: d4e2fd0fced6f731de4cc610a3a0fb4db96816d8628d643051eafacab96bbd85
                                            • Opcode Fuzzy Hash: fd3ed8f0339f018de5d142e703cbfe8aeec899f9662b922619233eb7dca0b218
                                            • Instruction Fuzzy Hash: F411E4B2C0422DFEDB21BEA4CC819BDFE38DF10360F248129FA41A2060E2795D90B791
                                            Function 0100676A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 56COMMON
                                            Download Yara Rule
                                            APIs
                                            • SysFreeString.OLEAUT32(00000000), ref: 010067E1
                                            Strings
                                            • Failed to get Condition inner text., xrefs: 010067B1
                                            • Condition, xrefs: 0100677C
                                            • `<u, xrefs: 010067E1
                                            • Failed to select condition node., xrefs: 01006798
                                            • Failed to copy condition string from BSTR, xrefs: 010067CB
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FreeString
                                            • String ID: Condition$Failed to copy condition string from BSTR$Failed to get Condition inner text.$Failed to select condition node.$`<u
                                            • API String ID: 3341692771-266405526
                                            • Opcode ID: 2c55e6c0f11a79db1d245d5db663631c557cd65bdb7d2a066cd334ef8908378e
                                            • Instruction ID: f877a506f4c7ab48f28f6bcf54b120643e33a6342ca69a0b0fd0b12e3abbca1c
                                            • Opcode Fuzzy Hash: 2c55e6c0f11a79db1d245d5db663631c557cd65bdb7d2a066cd334ef8908378e
                                            • Instruction Fuzzy Hash: 2111A172A40234BBEB139B94CC45BEDBBFDAF04621F1001A4EC84B6280E776AE50D790
                                            Function 00FF944B Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 55COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastPathTemp_memset
                                            • String ID: Failed to get temp path.$Failed to set variant value.$variable.cpp
                                            • API String ID: 623060366-2915113195
                                            • Opcode ID: f0f33cb86d3a4c17e1014c4106bda9af4c15ef24eca3cf7c4c4fad6a211178c6
                                            • Instruction ID: 8f49a593932aae8276cb91478537422d557c805c439ce8ff95569f7a9aac3a2f
                                            • Opcode Fuzzy Hash: f0f33cb86d3a4c17e1014c4106bda9af4c15ef24eca3cf7c4c4fad6a211178c6
                                            • Instruction Fuzzy Hash: 8201DB72E453296BE730EB619C05FBA339C9F10710F204165FA50EB1C4EAA99E0457D4
                                            Function 0102057A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00FF9127,00000000), ref: 0102058E
                                            • GetProcAddress.KERNEL32(00000000), ref: 01020595
                                            • GetLastError.KERNEL32(?,?,00FF9127,00000000), ref: 010205AC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressErrorHandleLastModuleProc
                                            • String ID: IsWow64Process$kernel32$procutil.cpp
                                            • API String ID: 4275029093-1586155540
                                            • Opcode ID: e7788f9cdcdef06b9f8dab0617cbf8d15de6fa792d4ef2941c15343c3f52c76a
                                            • Instruction ID: 3ebb853d9c6bdf39e4e939e085c334be336d57b583414be57b63c10eac1c0fa0
                                            • Opcode Fuzzy Hash: e7788f9cdcdef06b9f8dab0617cbf8d15de6fa792d4ef2941c15343c3f52c76a
                                            • Instruction Fuzzy Hash: 8DF06272B40336ABD7309A99DC49AAB7FA8EF40760F100069F985EB145EA75DA04D7A0
                                            Function 01019DC5 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNEL32(KERNEL32.DLL,01043370,00000008,01019ECD,00000000,00000000,?,0102924C,?,?,00000000,00000000), ref: 01019DD6
                                            • __lock.LIBCMT ref: 01019E0A
                                              • Part of subcall function 0101BE4B: __mtinitlocknum.LIBCMT ref: 0101BE61
                                              • Part of subcall function 0101BE4B: __amsg_exit.LIBCMT ref: 0101BE6D
                                              • Part of subcall function 0101BE4B: EnterCriticalSection.KERNEL32(00000000,00000000,?,01019E0F,0000000D,?,0102924C,?,?,00000000,00000000), ref: 0101BE75
                                            • InterlockedIncrement.KERNEL32(?), ref: 01019E17
                                            • __lock.LIBCMT ref: 01019E2B
                                            • ___addlocaleref.LIBCMT ref: 01019E49
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
                                            • String ID: KERNEL32.DLL
                                            • API String ID: 637971194-2576044830
                                            • Opcode ID: c684b9cdb02e15a8adce655bc674f71ba595ad9fab6fd5066832881dc40c9967
                                            • Instruction ID: 2b81e078a039f7ac395e0a4b99ad67fac69fba4491a3b7f779a8957f814d151b
                                            • Opcode Fuzzy Hash: c684b9cdb02e15a8adce655bc674f71ba595ad9fab6fd5066832881dc40c9967
                                            • Instruction Fuzzy Hash: 250180B1541701EFE720EF79D445789BBF0BF50324F20890EE5DA97294CBB9AA40CB11
                                            Function 010022B5 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 135COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 010022CD
                                            • LeaveCriticalSection.KERNEL32(?,?), ref: 01002414
                                              • Part of subcall function 00FFB6FB: _memset.LIBCMT ref: 00FFB720
                                            Strings
                                            • update\%ls, xrefs: 01002328
                                            • Failed to set update bundle., xrefs: 010023E5
                                            • Failed to recreate command-line for update bundle., xrefs: 0100238D
                                            • Failed to default local update source, xrefs: 0100233C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave_memset
                                            • String ID: Failed to default local update source$Failed to recreate command-line for update bundle.$Failed to set update bundle.$update\%ls
                                            • API String ID: 3751686142-1266646976
                                            • Opcode ID: f0ac372e9fe2d6ec252ccab9806cead9b7f29e191adaf5ac3748ecbd19e64ed8
                                            • Instruction ID: c1acf2c6db4e089c4f6596530461d6264a67aa655e2fa1334fac38d1a76521d1
                                            • Opcode Fuzzy Hash: f0ac372e9fe2d6ec252ccab9806cead9b7f29e191adaf5ac3748ecbd19e64ed8
                                            • Instruction Fuzzy Hash: 9B41BF31540604EFEF239F88CC8CEAE7BF9EB88710F1580A6F689971A1D7759890DB10
                                            Function 01020E73 Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 120COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,000000FF,00000000,00000000,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01020EC1
                                            • GetLastError.KERNEL32(?,?,?,0101FD73,?,?,00000000,00000000,?,75C0B390,?,?,?,01020138,?,?), ref: 01020EC7
                                              • Part of subcall function 0102293A: GetProcessHeap.KERNEL32(00000000,?,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 01022942
                                              • Part of subcall function 0102293A: HeapSize.KERNEL32(00000000,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000,?), ref: 01022949
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$ByteCharErrorLastMultiProcessSizeWide
                                            • String ID: W$strutil.cpp
                                            • API String ID: 3662877508-3697633219
                                            • Opcode ID: 49e1ee289c4d0fca1ce0a7b98796d968aa18374f9b56dfba32ff278e363c9009
                                            • Instruction ID: e885eb1361cb7c139f452d81d07661b96cf479f0dd51137c52b1e01186524ada
                                            • Opcode Fuzzy Hash: 49e1ee289c4d0fca1ce0a7b98796d968aa18374f9b56dfba32ff278e363c9009
                                            • Instruction Fuzzy Hash: 90415F7164031AEFDB51CFA8CD84EAE7BE8EF04320F204569F994DB694D775DA409B10
                                            Function 01026262 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 97memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,01041F04,00000208,00000000,?,0101FE45,?,?,?), ref: 01026293
                                            • GlobalAlloc.KERNEL32(00000000,?,?,?,01041F04,00000208,00000000,?,0101FE45,?,?,?), ref: 010262C1
                                            • GetLastError.KERNEL32(?,?,?,00000000,?,0101FE45,?,?,?), ref: 010262EE
                                            • GetLastError.KERNEL32(0101FE45,010422E4,?,?,?,?,?,00000000,?,0101FE45,?,?,?), ref: 01026323
                                            • GlobalFree.KERNEL32(0101FE45), ref: 0102635F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Global$AllocFree
                                            • String ID: fileutil.cpp
                                            • API String ID: 1145190524-2967768451
                                            • Opcode ID: f8b4c4dc445733237db82f5fd3d4ff3f6ef6a2c17ec1fb806add9a91a748be16
                                            • Instruction ID: ff7ff9a5b357a94555870920d265c048c636c2e47f302bc20ead0615cc9066b5
                                            • Opcode Fuzzy Hash: f8b4c4dc445733237db82f5fd3d4ff3f6ef6a2c17ec1fb806add9a91a748be16
                                            • Instruction Fuzzy Hash: 9331C271B0063AEBDB229FA9CC44EEEBBE8EF14750F108066FD41E6251E772C9048790
                                            Function 0101CC51 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __getptd.LIBCMT ref: 0101CC5D
                                              • Part of subcall function 01019EF2: __getptd_noexit.LIBCMT ref: 01019EF5
                                              • Part of subcall function 01019EF2: __amsg_exit.LIBCMT ref: 01019F02
                                            • __amsg_exit.LIBCMT ref: 0101CC7D
                                            • __lock.LIBCMT ref: 0101CC8D
                                            • InterlockedDecrement.KERNEL32(?), ref: 0101CCAA
                                            • _free.LIBCMT ref: 0101CCBD
                                            • InterlockedIncrement.KERNEL32(00AA2D58), ref: 0101CCD5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
                                            • String ID:
                                            • API String ID: 3470314060-0
                                            • Opcode ID: da9b3c6c22d9e051976dade9c222218fd322be59c57912aef1b0aae36cc6c1bc
                                            • Instruction ID: c7d7828f52a9862081185777f2ece1f2636ee8e2842d4f69f147cf424533c852
                                            • Opcode Fuzzy Hash: da9b3c6c22d9e051976dade9c222218fd322be59c57912aef1b0aae36cc6c1bc
                                            • Instruction Fuzzy Hash: 5D01C472980A269BE731AB68E6447DD7BE0BF05B20F140045D8C0A7288C73DE941CBD5
                                            Function 0100DC71 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 211COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(00000000,00000000,?,000000FF,00000008,000000FF,00000000,00000000,00000000), ref: 0100DCD6
                                            Strings
                                            • Failed to plan action for target product., xrefs: 0100DD23
                                            • Failed grow array of ordered patches., xrefs: 0100DE32
                                            • Failed to copy target product code., xrefs: 0100DD9A
                                            • Failed to insert execute action., xrefs: 0100DDF1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString
                                            • String ID: Failed grow array of ordered patches.$Failed to copy target product code.$Failed to insert execute action.$Failed to plan action for target product.
                                            • API String ID: 1825529933-3432308488
                                            • Opcode ID: 0dc1cbed9a9a2bb65796b1c6aa49e5235ca02e58cb235a0709bbbd9003720a4b
                                            • Instruction ID: 606a23991cfabd173ed6f6027b1949dd4e7e4ef004af6b61817ab875948f1b79
                                            • Opcode Fuzzy Hash: 0dc1cbed9a9a2bb65796b1c6aa49e5235ca02e58cb235a0709bbbd9003720a4b
                                            • Instruction Fuzzy Hash: 9481F8B9600209EFDB06DF98C580DA9B7F5EF48314F21819AE8459B391D730EE51CF50
                                            Function 01014349 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 146COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF,00000000,?,?,?,?,?,?,00000001,00000000), ref: 0101437C
                                            • CompareStringW.KERNEL32(00000000,00000001,?,000000FF,?,000000FF), ref: 01014401
                                            Strings
                                            • detect.cpp, xrefs: 0101445C
                                            • BA aborted detect forward compatible bundle., xrefs: 01014466
                                            • Failed to initialize update bundle., xrefs: 01014498
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString
                                            • String ID: BA aborted detect forward compatible bundle.$Failed to initialize update bundle.$detect.cpp
                                            • API String ID: 1825529933-918857910
                                            • Opcode ID: 22cff0c70c7bf6c6cc82a15cdf70899d4bc44eae13866f210783cca6a53b2fe7
                                            • Instruction ID: b2d4cc5decc76ce3ffe17e21d66c27c05c88b8861d2da690fda728aecb4265f8
                                            • Opcode Fuzzy Hash: 22cff0c70c7bf6c6cc82a15cdf70899d4bc44eae13866f210783cca6a53b2fe7
                                            • Instruction Fuzzy Hash: 6B517070500616FFEB259F58CC80EAEBBBAFF04310F108649F6A5E61A4C775E9A0DB50
                                            Function 00FF60D5 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 86registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,?,000000FF,00FF72B8,PackageVersion,?,?,00000001,00000001,00FF72B8,00000001,00020006,00000001), ref: 00FF614A
                                            • RegCloseKey.ADVAPI32(00FF72B8,00FF72B8,PackageVersion,?,?,00000001,00000001,00FF72B8,00000001,00020006,00000001,00000000), ref: 00FF6160
                                            Strings
                                            • PackageVersion, xrefs: 00FF612C
                                            • Failed to remove update registration key: %ls, xrefs: 00FF618E
                                            • Failed to format key for update registration., xrefs: 00FF6101
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseCompareString
                                            • String ID: Failed to format key for update registration.$Failed to remove update registration key: %ls$PackageVersion
                                            • API String ID: 446873843-3222553582
                                            • Opcode ID: 230c57b5fa4641921336023fb5a39acfbf7f3a20ca71767c76268a205e97116c
                                            • Instruction ID: 4c017013bf0014c2b65311ad05076593ace36aa4680a18cf4d7513767105acb6
                                            • Opcode Fuzzy Hash: 230c57b5fa4641921336023fb5a39acfbf7f3a20ca71767c76268a205e97116c
                                            • Instruction Fuzzy Hash: 9A219F31D0022DFFCF21AF95CC459AEFBB9AF54B10F20456AF690E1162DBB65A40EB50
                                            Function 00FF5FEC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 86COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010225A1: SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,01007AE2,0000001C,00000000,00000000,00000000,00000000), ref: 010225C2
                                            • RemoveDirectoryW.KERNEL32(00000001,00000001,00000001,00000001,00000001,00FF72C5,?,00000001,-0000001B,00FF72C5,00000001,00000000,?,00FF72C5,00000001,00000001), ref: 00FF6080
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: DirectoryFolderPathRemove
                                            • String ID: Failed to allocate regid folder path.$Failed to find local %hs appdata directory.$per-machine$per-user
                                            • API String ID: 293476170-2037127396
                                            • Opcode ID: 368e57923b983edb2786f98e75dbcac36ac280b753c5d8f785532e86da0833c3
                                            • Instruction ID: 701c66638048686af5dd92d7f02eee8e4ec477b6effafc311ed47d1d2abb2396
                                            • Opcode Fuzzy Hash: 368e57923b983edb2786f98e75dbcac36ac280b753c5d8f785532e86da0833c3
                                            • Instruction Fuzzy Hash: 16211EB2D0023DFBCF11AF94C8818ADBBB8FF14744B208066F951E6121DB719A50EB81
                                            Function 01027F18 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • QueryServiceConfigW.ADVAPI32(?,00000000,00000000,?,00000001,00000000,?,?,?,?,0100EFD9,?,?), ref: 01027F37
                                            • GetLastError.KERNEL32(?,?,?,0100EFD9,?,?), ref: 01027F47
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • QueryServiceConfigW.ADVAPI32(?,00000000,?,?,?,00000001,?,?,?,0100EFD9,?,?), ref: 01027F80
                                            • GetLastError.KERNEL32(?,?,?,0100EFD9,?,?), ref: 01027F86
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ConfigErrorHeapLastQueryService$AllocateProcess
                                            • String ID: svcutil.cpp
                                            • API String ID: 355237494-1746323212
                                            • Opcode ID: 53a01ae90cb8c904e314e20caf2597acceed1ea4799eb8979a9f2915d1d42e08
                                            • Instruction ID: 4e4aa04be95bbe3c02fa304b0548ee51ed9b957d595ee1acf729092917ac96e8
                                            • Opcode Fuzzy Hash: 53a01ae90cb8c904e314e20caf2597acceed1ea4799eb8979a9f2915d1d42e08
                                            • Instruction Fuzzy Hash: 79219871B0431AFFEB519A99CD80FBE7AE8EB24244F100079FA40EA150E6B5DE409760
                                            Function 01027E39 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84encryptionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CertGetCertificateContextProperty.CRYPT32(?,0100861C,00000000,00000003), ref: 01027E55
                                            • GetLastError.KERNEL32(?,0100861C,?,00000003,00AAC56B,?), ref: 01027E5B
                                            • CertGetCertificateContextProperty.CRYPT32(?,0100861C,00000000,00000003), ref: 01027EBE
                                            • GetLastError.KERNEL32(?,0100861C,?,00000003,00AAC56B,?), ref: 01027EC4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CertCertificateContextErrorLastProperty
                                            • String ID: certutil.cpp
                                            • API String ID: 980632616-2692845373
                                            • Opcode ID: c136d00c13affdbfe649967799dccf0f1e8137be8942aba8467693de8830e046
                                            • Instruction ID: 46d03ae58d38e5441ea9d2f4d527a2d7a1049f14b661d2f0ca1eaf1e882d4c7d
                                            • Opcode Fuzzy Hash: c136d00c13affdbfe649967799dccf0f1e8137be8942aba8467693de8830e046
                                            • Instruction Fuzzy Hash: 5021C87170022BABEB219FA98C81F6A3AEDEF69744F110035F980DB255E7B9CD005770
                                            Function 00FFF376 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to read action., xrefs: 00FFF3D5
                                            • Failed to read package id from message buffer., xrefs: 00FFF3B5
                                            • Failed to find package: %ls, xrefs: 00FFF40D
                                            • Failed to execute package provider action., xrefs: 00FFF42C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to execute package provider action.$Failed to find package: %ls$Failed to read action.$Failed to read package id from message buffer.
                                            • API String ID: 2102423945-384206569
                                            • Opcode ID: fa25ca1862e5f5db96f27a180c2b38754121aea6497631f5d8c3b9a712c1f2f8
                                            • Instruction ID: 3d9fb58b48ce86bde4a2dca5ed43a7d07b940ee0269f14c7009e24056de969da
                                            • Opcode Fuzzy Hash: fa25ca1862e5f5db96f27a180c2b38754121aea6497631f5d8c3b9a712c1f2f8
                                            • Instruction Fuzzy Hash: EE211D72D0022DBFCF12EAD0DC45AEF7A78AF14711F504165FA40B61A0E7759E14AB91
                                            Function 01028112 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HttpQueryInfoW.WININET(?,?,00000001,00000000,?), ref: 01028166
                                            • GetLastError.KERNEL32(?,01017300,00000000,00000033,?,00000000,00000013,00000000,?,?,?,0101747C,00000000,?,00000000,?), ref: 0102816C
                                            • HttpQueryInfoW.WININET(?,?,00000001,00000000,?), ref: 0102819F
                                            • GetLastError.KERNEL32(?,01017300,00000000,00000033,?,00000000,00000013,00000000,?,?,?,0101747C,00000000,?,00000000,?), ref: 010281A5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHttpInfoLastQuery
                                            • String ID: inetutil.cpp
                                            • API String ID: 4218848986-2900720265
                                            • Opcode ID: 21a62498dec6598621b08325781e4bf418af3ceaefce77deb3defffb0bccd2dd
                                            • Instruction ID: 08d41ac19d4230d6a5f24205d92e4c8bece61a472670520e494e2f2a94c7cfde
                                            • Opcode Fuzzy Hash: 21a62498dec6598621b08325781e4bf418af3ceaefce77deb3defffb0bccd2dd
                                            • Instruction Fuzzy Hash: C721577560021AFBDB129F95CC80EEF77EDEF54244F304466F980D6151E775DA409B60
                                            Function 01027125 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentDirectoryW.KERNEL32(?,00000000,00000001,00000009,00000000,?,?,?,01001F96,00000001,00000000,Setup,00000000,log,0000000D,00000000), ref: 0102716C
                                            • GetLastError.KERNEL32(?,?,?,01001F96,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 01027174
                                            • GetCurrentDirectoryW.KERNEL32(00000000,?,?,00000000,?,?,?,01001F96,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000), ref: 010271B6
                                            • GetLastError.KERNEL32(?,?,?,01001F96,00000001,00000000,Setup,00000000,log,0000000D,00000000,00000000,?,?,?), ref: 010271BC
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CurrentDirectoryErrorLast
                                            • String ID: dirutil.cpp
                                            • API String ID: 152501406-2193988115
                                            • Opcode ID: 8402f26588d01eff71ecf20afef4619a4b529965ee9d0573e57ce3d29146cd8b
                                            • Instruction ID: 2490ca07ecc9f126e78630a55e3a047ec3889725bc0d285d0c450ddadc2ce2a8
                                            • Opcode Fuzzy Hash: 8402f26588d01eff71ecf20afef4619a4b529965ee9d0573e57ce3d29146cd8b
                                            • Instruction Fuzzy Hash: 86215371A10226FBDB22CB9DCD84AAEBFB9AF24740F3040A9E540E6210E675DA409B55
                                            Function 01014EB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 77synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 01014F4A
                                            • ReleaseMutex.KERNEL32(?), ref: 01014F79
                                            • SetEvent.KERNEL32(?), ref: 01014F82
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateEventMutexObjectProcessReleaseSingleWait
                                            • String ID: Failed to allocate buffer.$NetFxChainer.cpp
                                            • API String ID: 944053411-3611226795
                                            • Opcode ID: ee2664cfd3b51af0052462047b8334362b08c6a29110dc5082896fc1237f1185
                                            • Instruction ID: a1cf27a0684b843a5825aa41e0cff860d140ee7e400a86ffd09cd22532da4553
                                            • Opcode Fuzzy Hash: ee2664cfd3b51af0052462047b8334362b08c6a29110dc5082896fc1237f1185
                                            • Instruction Fuzzy Hash: 3A21E271900215EFDB21DF64C888A9EBBB5FF45324F2080A8F851EF355D7BA9902CB90
                                            Function 00FF2F4A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,?,?,00000000,?,80070057,F0000002), ref: 00FF2FA0
                                            Strings
                                            • Failed to allocate message to write., xrefs: 00FF2F75
                                            • pipe.cpp, xrefs: 00FF2FD9
                                            • Failed to write message type to pipe., xrefs: 00FF2FE3
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: FileWrite
                                            • String ID: Failed to allocate message to write.$Failed to write message type to pipe.$pipe.cpp
                                            • API String ID: 3934441357-1996674626
                                            • Opcode ID: d38e5b2b8132353fff235168bf27e74a8f1607558060111407c7c2886c796247
                                            • Instruction ID: e6d5344affbf670c8b585e8562a3d0995ccae81994f4e0e98fa0cb764dc25fec
                                            • Opcode Fuzzy Hash: d38e5b2b8132353fff235168bf27e74a8f1607558060111407c7c2886c796247
                                            • Instruction Fuzzy Hash: 3C11B472A1421EBFDB219F94DD81DFFBBB9EF44310B200129FA41B6194EA759E40B760
                                            Function 0101753B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73networktimeCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01017363: InternetCloseHandle.WININET(00000000), ref: 01017388
                                              • Part of subcall function 01017363: InternetCloseHandle.WININET(00000000), ref: 01017396
                                              • Part of subcall function 01017363: InternetConnectW.WININET(?,00000000,?,00000000,?,?,00000000,00000000), ref: 010173F5
                                              • Part of subcall function 01017363: lstrlenW.KERNEL32(00000000), ref: 01017420
                                              • Part of subcall function 01017363: InternetSetOptionW.WININET(00000000,0000002B,00000000,00000000), ref: 0101742D
                                              • Part of subcall function 01017363: lstrlenW.KERNEL32(00000001), ref: 01017436
                                              • Part of subcall function 01017363: InternetSetOptionW.WININET(00000000,0000002C,00000001,00000000), ref: 0101743F
                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,00000000,000000FF,?,00000000,HEAD,00000000,00000000,?,00000000,?,?), ref: 010175CD
                                            • InternetCloseHandle.WININET(?), ref: 010175E3
                                            • InternetCloseHandle.WININET(00000000), ref: 010175ED
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Internet$CloseHandle$OptionTimelstrlen$ConnectFileSystem
                                            • String ID: Failed to connect to URL: %ls$HEAD
                                            • API String ID: 1677864904-290634988
                                            • Opcode ID: be3b8bf058df3f725717a769304aa278ea38de09a958246ccb077bac95b0e0f7
                                            • Instruction ID: f96a3f8d5cd8174d1a60e1a9ee25e6722ec3aa38485bfa6a3cfccc5c9f681f53
                                            • Opcode Fuzzy Hash: be3b8bf058df3f725717a769304aa278ea38de09a958246ccb077bac95b0e0f7
                                            • Instruction Fuzzy Hash: FA213771900229FFCF129FA5CC848DEBFB9FF18710B108066F945A2214D7759A20EF90
                                            Function 0102596E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(?), ref: 01025981
                                            • VariantInit.OLEAUT32(?), ref: 0102598D
                                            • VariantClear.OLEAUT32(?), ref: 01025A01
                                            • SysFreeString.OLEAUT32(00000000), ref: 01025A0C
                                              • Part of subcall function 01025551: SysAllocString.OLEAUT32(?), ref: 01025566
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: String$AllocVariant$ClearFreeInit
                                            • String ID: `<u
                                            • API String ID: 347726874-3367579956
                                            • Opcode ID: 351b2888022e341c01667f111d4902f3507b109ec52edf958ff99f69524b1702
                                            • Instruction ID: 41d346a2af476cee5a9ad97cad2c1797419271e8a333efcc383d84fbaa18594e
                                            • Opcode Fuzzy Hash: 351b2888022e341c01667f111d4902f3507b109ec52edf958ff99f69524b1702
                                            • Instruction Fuzzy Hash: 98215071A00229AFDB10DFA8CC89AEEBBB8AF05725F144594EE81DB200D735ED00CB90
                                            Function 01028057 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70timenetworkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HttpQueryInfoW.WININET(00000000,4000000B,?,00000000,00000000), ref: 01028096
                                            • GetLastError.KERNEL32 ref: 010280A0
                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 010280C9
                                            • GetLastError.KERNEL32 ref: 010280D3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastTime$FileHttpInfoQuerySystem
                                            • String ID: inetutil.cpp
                                            • API String ID: 3487154604-2900720265
                                            • Opcode ID: 71370035eceec2b552a8e7adfa3edecd60981f4a3d449eddbe80097e2f3b4ba9
                                            • Instruction ID: 44022d98becfc8333d653ab6ad71e4f5e04f9adbf2e223e0f915e63a13cac518
                                            • Opcode Fuzzy Hash: 71370035eceec2b552a8e7adfa3edecd60981f4a3d449eddbe80097e2f3b4ba9
                                            • Instruction Fuzzy Hash: 7B11DA76A00126A7D7719AA9C884AAFBBECAF14750F108136FA41E7140EA2DDA0487D5
                                            Function 01006FB6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memcpy_s
                                            • String ID: Failed to find variable.$Failed to parse condition '%ls' at position: %u$Failed to read next symbol.$condition.cpp
                                            • API String ID: 2001391462-1605196437
                                            • Opcode ID: 7a7215864fc0ad4c758c1365b16b98a5db337aa983748d7320f8fbf1d3db29ae
                                            • Instruction ID: 353a8993f27c7e5326ccc6d38cf7299f25d4d50bc94ac82d39ce8252cfec39a1
                                            • Opcode Fuzzy Hash: 7a7215864fc0ad4c758c1365b16b98a5db337aa983748d7320f8fbf1d3db29ae
                                            • Instruction Fuzzy Hash: 5611807A280B05BAF333665DDC01E977AA9E7C4750F100A2DF3C59A1D1DA6AF41192A1
                                            Function 01007BB8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 66COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • CreateWellKnownSid.ADVAPI32(00000000,00000000,00000000,00000000,00000044,00000001,00000000,00000000,20000004,?,01007C8E,0000001A,00000000,00000000,00000000,00000000), ref: 01007C04
                                            • GetLastError.KERNEL32(?,01007C8E,0000001A,00000000,00000000,00000000,00000000,00000000), ref: 01007C0E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateCreateErrorKnownLastProcessWell
                                            • String ID: Failed to allocate memory for well known SID.$Failed to create well known SID.$cache.cpp
                                            • API String ID: 2186923214-2110050797
                                            • Opcode ID: d55423e5c8af91d00b168289173a994f2335fdb7d5b1da856b6d06ea7fc48bb2
                                            • Instruction ID: c4933fbc3951d99893abb9d48890ce89e62b8237faad73a798dfba70da7b18cd
                                            • Opcode Fuzzy Hash: d55423e5c8af91d00b168289173a994f2335fdb7d5b1da856b6d06ea7fc48bb2
                                            • Instruction Fuzzy Hash: 6011E9727457367AE23266558C05F9B3B589F91E60F214029FAC5AF1C0EA6DE90182A4
                                            Function 01017D84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000003E8,000004FF), ref: 01017DB5
                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 01017DDD
                                            • GetLastError.KERNEL32 ref: 01017DE5
                                            Strings
                                            • Failed while waiting for download., xrefs: 01017E19
                                            • bitsengine.cpp, xrefs: 01017E0F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastMessageMultipleObjectsPeekWait
                                            • String ID: Failed while waiting for download.$bitsengine.cpp
                                            • API String ID: 435350009-228655868
                                            • Opcode ID: 2931bfbd178eddb8e065c9b4d40645b990d2f60fca07c4e2e7ea754f3799d995
                                            • Instruction ID: d992fdc778eeff53749a2c6c313512636b4b4308263df8b1e4a41dca26cb6a10
                                            • Opcode Fuzzy Hash: 2931bfbd178eddb8e065c9b4d40645b990d2f60fca07c4e2e7ea754f3799d995
                                            • Instruction Fuzzy Hash: 25119472A4020EFFEB119FE8D985DEE7BF8EB04354F600479F641E6184DA799E408651
                                            Function 00FF2EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memcpy_s.LIBCMT ref: 00FF2F01
                                            • _memcpy_s.LIBCMT ref: 00FF2F14
                                            • _memcpy_s.LIBCMT ref: 00FF2F2F
                                              • Part of subcall function 010188C1: _memmove.LIBCMT ref: 010188FD
                                              • Part of subcall function 010188C1: _memset.LIBCMT ref: 0101890F
                                            Strings
                                            • pipe.cpp, xrefs: 00FF2EDE
                                            • Failed to allocate memory for message., xrefs: 00FF2EEA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memcpy_s$_memmove_memset
                                            • String ID: Failed to allocate memory for message.$pipe.cpp
                                            • API String ID: 3316475362-1914209504
                                            • Opcode ID: 63bf56b11a10e2cab6b25293a67598127f8bd67920d269c4ad40914309c3a4e7
                                            • Instruction ID: 0691092ddac08eb0c31be3f4732dabe28827305543c9dfad820c842281707f96
                                            • Opcode Fuzzy Hash: 63bf56b11a10e2cab6b25293a67598127f8bd67920d269c4ad40914309c3a4e7
                                            • Instruction Fuzzy Hash: B411A3B694022EABDB11AE95DC81CEB37ACFF15660B004027FF5497100E7B49A1497F1
                                            Function 00FF7697 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 65COMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 00FF76B5
                                            Strings
                                            • Failed get file version., xrefs: 00FF76ED
                                            • Failed to set variable., xrefs: 00FF770D
                                            • Failed to format path string., xrefs: 00FF76C0
                                            • File search: %ls, did not find path: %ls, xrefs: 00FF7721
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Open@16
                                            • String ID: Failed get file version.$Failed to format path string.$Failed to set variable.$File search: %ls, did not find path: %ls
                                            • API String ID: 3613110473-2458530209
                                            • Opcode ID: d5bd7c525d237c622ba88241662ccb38543d111e71869bcffcb9efb0e6a7b049
                                            • Instruction ID: be70450bf0cf045a75f2070b06619028477c698dba3e6614663b64ad480052ce
                                            • Opcode Fuzzy Hash: d5bd7c525d237c622ba88241662ccb38543d111e71869bcffcb9efb0e6a7b049
                                            • Instruction Fuzzy Hash: 5611C137A4430DFACB02BA94CD42FBEB776AF94750F204069FB44AA070DAB59A45B750
                                            Function 00FF927D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetComputerNameW.KERNEL32(?,?), ref: 00FF92AB
                                            • GetLastError.KERNEL32 ref: 00FF92B5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ComputerErrorLastName
                                            • String ID: Failed to get computer name.$Failed to set variant value.$variable.cpp
                                            • API String ID: 3560734967-484636765
                                            • Opcode ID: e9925b2048382cd717aad22f6452c55db8a93cd409b30114d710c69dea918b1a
                                            • Instruction ID: e859bf102ceff45d32a217f0720b7f44ac6f0126e73d680fcf4aae0213c44f8a
                                            • Opcode Fuzzy Hash: e9925b2048382cd717aad22f6452c55db8a93cd409b30114d710c69dea918b1a
                                            • Instruction Fuzzy Hash: A7010C33A0522D67D720DA659841BEF77ECAF05710F100025F940F7194EAA5EE0483A4
                                            Function 00FF9FD7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(?), ref: 00FF9FEA
                                              • Part of subcall function 0102057A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00FF9127,00000000), ref: 0102058E
                                              • Part of subcall function 0102057A: GetProcAddress.KERNEL32(00000000), ref: 01020595
                                              • Part of subcall function 0102057A: GetLastError.KERNEL32(?,?,00FF9127,00000000), ref: 010205AC
                                              • Part of subcall function 01026835: SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,?), ref: 01026862
                                            Strings
                                            • Failed to get 64-bit folder., xrefs: 00FFA033
                                            • Failed to set variant value., xrefs: 00FFA04C
                                            • variable.cpp, xrefs: 00FFA013
                                            • Failed to get shell folder., xrefs: 00FFA01D
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressCurrentErrorFolderHandleLastModulePathProcProcess
                                            • String ID: Failed to get 64-bit folder.$Failed to get shell folder.$Failed to set variant value.$variable.cpp
                                            • API String ID: 2084161155-3906113122
                                            • Opcode ID: 5f1003dfd91c9f26111240369a188567dac8cb3327ae2f2531528201048d6cf5
                                            • Instruction ID: 9ff14e6820e1a31836ef9bda480c4e8bc3d15f6099c66da0e5320326d37e87ec
                                            • Opcode Fuzzy Hash: 5f1003dfd91c9f26111240369a188567dac8cb3327ae2f2531528201048d6cf5
                                            • Instruction Fuzzy Hash: 860108B2C0022CBECB31BB61DC45CEEBAACDFA0790B204115FA5976064EA764E40E651
                                            Function 010261CD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01025D1F: _memset.LIBCMT ref: 01025D4A
                                              • Part of subcall function 01025D1F: FindFirstFileW.KERNELBASE(00000000,?,00000000,?,80070002), ref: 01025D5A
                                              • Part of subcall function 01025D1F: FindClose.KERNEL32(00000000), ref: 01025D66
                                            • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,?,00000000,000000FF,00000000,?,?,01009D35,?,00000000,E0000136,00000000,?,?), ref: 01026202
                                            • GetLastError.KERNEL32(?,?,01009D35,?,00000000,E0000136,00000000,?,?,00000000,?,00000000,?,?,00000000,00000000), ref: 0102620C
                                            • DeleteFileW.KERNEL32(00000000,00000000,?,00000000,000000FF,00000000,?,?,01009D35,?,00000000,E0000136,00000000,?,?,00000000), ref: 0102622B
                                            • GetLastError.KERNEL32(?,?,01009D35,?,00000000,E0000136,00000000,?,?,00000000,?,00000000,?,?,00000000,00000000), ref: 01026235
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: File$ErrorFindLast$AttributesCloseDeleteFirst_memset
                                            • String ID: fileutil.cpp
                                            • API String ID: 1255660700-2967768451
                                            • Opcode ID: fbcff22d469c80e4cc91a1546d73b7fe1894f3345f629f58f5279ac2d55645a6
                                            • Instruction ID: 55b3cccf366a020ad50ace73da4c5de71ed979bb8490ee5e141ab10624b899eb
                                            • Opcode Fuzzy Hash: fbcff22d469c80e4cc91a1546d73b7fe1894f3345f629f58f5279ac2d55645a6
                                            • Instruction Fuzzy Hash: 6E014571300B26A6E7321EAEDC84BAA3ADC9F52654F240135FE85D1091EA6AD90C4360
                                            Function 010206D3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(000001F4,?,01013ED5,?,?,0100AE41,?,000001F4,?,?,?,?,?,?,?,?), ref: 010206E3
                                            • GetLastError.KERNEL32(?,?,0100AE41,?,000001F4,?,?,?,?,?,?,?,?), ref: 010206F1
                                            • GetExitCodeProcess.KERNEL32(000001F4,?), ref: 0102072D
                                            • GetLastError.KERNEL32(?,?,0100AE41,?,000001F4,?,?,?,?,?,?,?,?), ref: 01020737
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                            • String ID: procutil.cpp
                                            • API String ID: 590199018-1178289305
                                            • Opcode ID: a2b307cdb047bc8e3f3136626641adb7b01148d51ae5570141072c13341aa737
                                            • Instruction ID: 1df7e43d8d3df6e6ffadbef646d8122f72221d4b5a7c964a7409a3b91c7b103e
                                            • Opcode Fuzzy Hash: a2b307cdb047bc8e3f3136626641adb7b01148d51ae5570141072c13341aa737
                                            • Instruction Fuzzy Hash: 17118236E00336EBD7314A598809AAA7EA5AF00760F210264FD95EB294E639CE009BD4
                                            Function 01014E11 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,000000FF,00000002,?,?,01015048), ref: 01014E21
                                            • ReleaseMutex.KERNEL32(?,?,?,01015048), ref: 01014EA6
                                              • Part of subcall function 010228F3: GetProcessHeap.KERNEL32(?,?,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000), ref: 01022904
                                              • Part of subcall function 010228F3: RtlAllocateHeap.NTDLL(00000000,?,01020F41,?,00000001,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 0102290B
                                            • _memmove.LIBCMT ref: 01014E8D
                                            Strings
                                            • NetFxChainer.cpp, xrefs: 01014E60
                                            • Failed to allocate memory for message data, xrefs: 01014E6D
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateMutexObjectProcessReleaseSingleWait_memmove
                                            • String ID: Failed to allocate memory for message data$NetFxChainer.cpp
                                            • API String ID: 2689949979-1624333943
                                            • Opcode ID: d62067050b2cd27580786e76feee4fa9de7e94d1dd428ce2c5f1fbf0a8ca9e22
                                            • Instruction ID: 881e8add4c13f2ed2083eff94e86a30b379d0baa751daa165ad12eef0e491be7
                                            • Opcode Fuzzy Hash: d62067050b2cd27580786e76feee4fa9de7e94d1dd428ce2c5f1fbf0a8ca9e22
                                            • Instruction Fuzzy Hash: 181148B5604301EFDB21DF68C885EAA7BF5FF89314F244568F9819B294EB79A900CB14
                                            Function 00FF9A62 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastNameUser
                                            • String ID: Failed to get the user name.$Failed to set variant value.$variable.cpp
                                            • API String ID: 2054405381-1522884404
                                            • Opcode ID: 330164fa12f23fcc1898c2b47e0f40b4c212a6c12e2977b4d680c90e22122404
                                            • Instruction ID: ba5cac256e6031901dff61cd2faa4e841acc285df888bc29cc68de5b2a149156
                                            • Opcode Fuzzy Hash: 330164fa12f23fcc1898c2b47e0f40b4c212a6c12e2977b4d680c90e22122404
                                            • Instruction Fuzzy Hash: BA014932B05329ABC321AB16CC44FFF77AC9F00710F100165F554E6195DAACEE448B94
                                            Function 01018035 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 0101804A
                                            • LeaveCriticalSection.KERNEL32(?), ref: 0101808F
                                            • SetEvent.KERNEL32(?,?,?,?), ref: 010180A3
                                            Strings
                                            • Failure while sending progress during BITS job modification., xrefs: 0101807E
                                            • Failed to get state during job modification., xrefs: 01018063
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterEventLeave
                                            • String ID: Failed to get state during job modification.$Failure while sending progress during BITS job modification.
                                            • API String ID: 3094578987-1258544340
                                            • Opcode ID: ca5a246f4550fceb1b1baffa81a5cb53a64df8947e38643895fe6cc2f37d9067
                                            • Instruction ID: d101bb75344d9e9fa19b44b51139493c336bd925b6f2b5b8a9ac206d2d349db1
                                            • Opcode Fuzzy Hash: ca5a246f4550fceb1b1baffa81a5cb53a64df8947e38643895fe6cc2f37d9067
                                            • Instruction Fuzzy Hash: C0017176600709AFCB23DF55D848E9B77FCFB85221B20441EF88A97205EB79EA408751
                                            Function 01017E32 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • InitializeCriticalSection.KERNEL32(00000008,00000000,?,?,010181C3,?,?,?,?,?,00000000,?,00000000), ref: 01017E4C
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,010181C3,?,?,?,?,?,00000000,?,00000000), ref: 01017E59
                                            • GetLastError.KERNEL32(?,010181C3,?,?,?,?,?,00000000,?,00000000), ref: 01017E66
                                            Strings
                                            • bitsengine.cpp, xrefs: 01017E8B
                                            • Failed to create BITS job complete event., xrefs: 01017E95
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateCriticalErrorEventInitializeLastSection
                                            • String ID: Failed to create BITS job complete event.$bitsengine.cpp
                                            • API String ID: 3069647169-3441864216
                                            • Opcode ID: 45d2bf268f1c689f707f517a14d40834b8fd8fa03a2c48571b43979c1d19bca8
                                            • Instruction ID: 32fe1302c48e66340b31cd2031b2ff10e6ded58953b4db9575329264c2c14aba
                                            • Opcode Fuzzy Hash: 45d2bf268f1c689f707f517a14d40834b8fd8fa03a2c48571b43979c1d19bca8
                                            • Instruction Fuzzy Hash: EC017171650316AFE3209F69D985A63BBDCFF08751B20452EF989C6644EA7DEC008B64
                                            Function 01017C69 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(00000008,?,00000000,00000000,00000000,?,01017DD3), ref: 01017C7D
                                            • LeaveCriticalSection.KERNEL32(00000008,?,01017DD3), ref: 01017CC2
                                            • SetEvent.KERNEL32(?,?,01017DD3), ref: 01017CD6
                                            Strings
                                            • Failed to get BITS job state., xrefs: 01017C96
                                            • Failure while sending progress., xrefs: 01017CB1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterEventLeave
                                            • String ID: Failed to get BITS job state.$Failure while sending progress.
                                            • API String ID: 3094578987-2876445054
                                            • Opcode ID: 7f91389ab82143d6c35e0e8e6a155bd859bbeb1c1979a83979f8279705ea22e9
                                            • Instruction ID: 077fe799fe19353463a7d10739ddfff0b68d86d2d07face74b62dab3fc78d42b
                                            • Opcode Fuzzy Hash: 7f91389ab82143d6c35e0e8e6a155bd859bbeb1c1979a83979f8279705ea22e9
                                            • Instruction Fuzzy Hash: 1301A776100709AFC726DF55D949DAB77FDFF89660B20001EF58A93214DB79E900CB25
                                            Function 00FFBB67 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,?,00000000,?,00FFD9EF,?,00000000,75C0B390,?,00000000), ref: 00FFBB76
                                            • InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 00FFBB83
                                            • LeaveCriticalSection.KERNEL32(?,?,00FFD9EF,?,00000000,75C0B390,?,00000000), ref: 00FFBB98
                                            Strings
                                            • Engine active cannot be changed because it was already in that state., xrefs: 00FFBBBB
                                            • userexperience.cpp, xrefs: 00FFBBB1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$CompareEnterExchangeInterlockedLeave
                                            • String ID: Engine active cannot be changed because it was already in that state.$userexperience.cpp
                                            • API String ID: 3376869089-1544469594
                                            • Opcode ID: f07463434c75df5a6ae8a1ebf4e50ec6a5c86dddcc8f9fc91a9416daecf8f654
                                            • Instruction ID: 96c074b3b0df84036583cc00efa5a00d31d6673c68d1485b228066b3da9daa74
                                            • Opcode Fuzzy Hash: f07463434c75df5a6ae8a1ebf4e50ec6a5c86dddcc8f9fc91a9416daecf8f654
                                            • Instruction Fuzzy Hash: DDF02B7360432A6FE3301E56DC84EB73B9CEFA4AA17100029FF419A188D775AC0083B0
                                            Function 00FF8FDA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FF8F23: FreeLibrary.KERNEL32(00000000), ref: 00FF8FCF
                                            • _memset.LIBCMT ref: 00FF8FF2
                                            • GetVersionExW.KERNEL32(?,?,00000000,00FF909E), ref: 00FF9001
                                            • GetLastError.KERNEL32 ref: 00FF900B
                                            Strings
                                            • variable.cpp, xrefs: 00FF9030
                                            • Failed to get OS version from GetVersionExW, xrefs: 00FF903A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFreeLastLibraryVersion_memset
                                            • String ID: Failed to get OS version from GetVersionExW$variable.cpp
                                            • API String ID: 2453953334-413229814
                                            • Opcode ID: 42aa8f48f02b74ba5357192237490e794738a4a1fdce0711821d45419a4180a3
                                            • Instruction ID: 34865b2660017d65cbac182d8da176a9292a0eb9f2220512ca5f586e3badab71
                                            • Opcode Fuzzy Hash: 42aa8f48f02b74ba5357192237490e794738a4a1fdce0711821d45419a4180a3
                                            • Instruction Fuzzy Hash: 68F082B178431B6AF32129B65CC6B77269C9F61798B20413DFB40D91D5FEDDCD041614
                                            Function 01028625 Relevance: 7.6, APIs: 5, Instructions: 119registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            • RegCloseKey.ADVAPI32(00000001,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019,00000001,00FF13BB,00FF13BB,00020019,00000000,00000001), ref: 010286EE
                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,00000001,?,00000000,00000001,00000000,00020019), ref: 0102872F
                                            • RegCloseKey.ADVAPI32(00000001,00000001,00020019,00FF13BB,?,00FF13BB,00000000,00000000,?,00FF13BB,00000001,00000000), ref: 01028750
                                            • RegCloseKey.ADVAPI32(00000000,00000001,00020019,00FF13BB,?,00FF13BB,00000000,00000000,?,00FF13BB,00000001,00000000), ref: 01028761
                                            • RegCloseKey.ADVAPI32(00FF13BB,?,00FF13BB,00000000,00000000,?,00FF13BB,00000001,00000000), ref: 01028775
                                              • Part of subcall function 01023F7C: RegCloseKey.ADVAPI32(00000000), ref: 010240E2
                                              • Part of subcall function 01023C86: RegQueryInfoKeyW.ADVAPI32(00FF13BB,00000000,00000000,00000000,?,00000000,00000000,00FF13BB,00000000,00000000,00000000,00000000,80070002,00000000,?,010286DA), ref: 01023CA1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Close$InfoOpenQuery
                                            • String ID:
                                            • API String ID: 796878624-0
                                            • Opcode ID: cbffcab61fe5c69d56cad1c7f3c25e3cf07620325b5cbfdfe31e9090f881fa29
                                            • Instruction ID: cd2265538a25f28546ae14756d3b298ef9c42f47c9c63d7ae80225663372644c
                                            • Opcode Fuzzy Hash: cbffcab61fe5c69d56cad1c7f3c25e3cf07620325b5cbfdfe31e9090f881fa29
                                            • Instruction Fuzzy Hash: B041A97580123DFFDF229F94D9848DDBFB9FB08B51F2084A6F594A6110D3358A90DB90
                                            Function 00FF10DC Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(?,00000000,?,?,00FF1ED9,?,?,?,?,?), ref: 00FF1120
                                            • DeleteCriticalSection.KERNEL32(?,00000000,?,?,00FF1ED9,?,?,?,?,?), ref: 00FF113A
                                            • TlsFree.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FF120B
                                            • DeleteCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00FF1212
                                            • _memset.LIBCMT ref: 00FF121C
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalDeleteSection$CloseFreeHandle_memset
                                            • String ID:
                                            • API String ID: 3611737199-0
                                            • Opcode ID: 9872091e0a66d5c4c8a30b792ca4951395ba72f2a1c8cc19bf2555f3d98c374e
                                            • Instruction ID: cc96c39ceb1a523b1667eaff7635e8a276a2e3b102821f6222ecb59363c715ab
                                            • Opcode Fuzzy Hash: 9872091e0a66d5c4c8a30b792ca4951395ba72f2a1c8cc19bf2555f3d98c374e
                                            • Instruction Fuzzy Hash: 4131F7B1A0070AABDA64EBB5CC88FEB73ECAF14750F444819B3A9D3064DB78E504D764
                                            Function 00FFA643 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 71COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(-00000001,00000000,00000000,00000000,?,?,00FFAAC8,?,?,00000000,?,00000001,?,00000002,-00000001,00FF8B91), ref: 00FFA653
                                            • LeaveCriticalSection.KERNEL32(-00000001,00000002,00FF8B91,?,00FFAAC8,?,?,00000000,?,00000001,?,00000002,-00000001,00FF8B91,00000001), ref: 00FFA6EE
                                            Strings
                                            • Failed to get variable: %ls, xrefs: 00FFA689
                                            • Failed to format value '%ls' of variable: %ls, xrefs: 00FFA6B8
                                            • Failed to get value as string for variable: %ls, xrefs: 00FFA6DD
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to format value '%ls' of variable: %ls$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                            • API String ID: 3168844106-1273532094
                                            • Opcode ID: 0680b008c76ec652affba21141a566db43d99e959addcc65253269cc474d2452
                                            • Instruction ID: ad373c9786b00b5990f1b1d7c6581c95a1737fd58d0cb07f27d18de83723de4f
                                            • Opcode Fuzzy Hash: 0680b008c76ec652affba21141a566db43d99e959addcc65253269cc474d2452
                                            • Instruction Fuzzy Hash: 3911A2B2500708FFCF219F51CCC4CBB7BA9FF983207288515FB5996121D3769910AB66
                                            Function 0101E215 Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _malloc.LIBCMT ref: 0101E223
                                              • Part of subcall function 0101BB70: __FF_MSGBANNER.LIBCMT ref: 0101BB89
                                              • Part of subcall function 0101BB70: __NMSG_WRITE.LIBCMT ref: 0101BB90
                                              • Part of subcall function 0101BB70: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0101C627,00000000,00000001,00000000,?,0101BDD6,00000018,01043420,0000000C,0101BE66), ref: 0101BBB5
                                            • _free.LIBCMT ref: 0101E236
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AllocHeap_free_malloc
                                            • String ID:
                                            • API String ID: 2734353464-0
                                            • Opcode ID: b4f2fef1050e3f7c44680bb0e3dbeb179db73ff2f84adb5f033dd2dcd8b49f12
                                            • Instruction ID: 66d293317a7f7a2b10b0a0c20b60ac4ce5bea02d3124757cd3732a7aeb379665
                                            • Opcode Fuzzy Hash: b4f2fef1050e3f7c44680bb0e3dbeb179db73ff2f84adb5f033dd2dcd8b49f12
                                            • Instruction Fuzzy Hash: D311C132901616EFCB332FB9E814BDE3BD5AB54260B210566FDD897188DF3CC9808790
                                            Function 01014DBA Relevance: 7.5, APIs: 5, Instructions: 37fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(?,00000000,0101535A), ref: 01014DCC
                                            • CloseHandle.KERNEL32(?,00000000,0101535A), ref: 01014DD9
                                            • CloseHandle.KERNEL32(?,00000000,0101535A), ref: 01014DE7
                                            • CloseHandle.KERNEL32(?,00000000,0101535A), ref: 01014DF5
                                            • UnmapViewOfFile.KERNEL32(?,0101535A), ref: 01014E04
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$FileUnmapView
                                            • String ID:
                                            • API String ID: 260491571-0
                                            • Opcode ID: ccf584d68c9cf59914035bb2e150dce607b63e0bc59be6a83e9dfbbf79272281
                                            • Instruction ID: ac38618f664a1227f22e84b0cf517ecb33c847167eb44ecd8575f9d8e13fd69d
                                            • Opcode Fuzzy Hash: ccf584d68c9cf59914035bb2e150dce607b63e0bc59be6a83e9dfbbf79272281
                                            • Instruction Fuzzy Hash: 16F01D716007029BEB30EE79C844B5BB7ECAF44721F45885CE5D6D7954CB3DE4008B60
                                            Function 0101C9B5 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • __getptd.LIBCMT ref: 0101C9C1
                                              • Part of subcall function 01019EF2: __getptd_noexit.LIBCMT ref: 01019EF5
                                              • Part of subcall function 01019EF2: __amsg_exit.LIBCMT ref: 01019F02
                                            • __getptd.LIBCMT ref: 0101C9D8
                                            • __amsg_exit.LIBCMT ref: 0101C9E6
                                            • __lock.LIBCMT ref: 0101C9F6
                                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0101CA0A
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
                                            • String ID:
                                            • API String ID: 938513278-0
                                            • Opcode ID: fc65c17b057a583622ed4ede668c6148780e17f1f5fd260c0a96f24e0af8cc4c
                                            • Instruction ID: 8c45431bb9bb56b10faa5549a8f24b7b5b68dd1caa7029855bfd978da777eacd
                                            • Opcode Fuzzy Hash: fc65c17b057a583622ed4ede668c6148780e17f1f5fd260c0a96f24e0af8cc4c
                                            • Instruction Fuzzy Hash: F8F0B432A813229BF722BB7C95097DD3BE16F10724F11424DD5D0EB2C8CB7D95408B55
                                            Function 01028296 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 01028300
                                            • InternetCrackUrlW.WININET(?,00000000,90000000,?), ref: 010283AF
                                            • GetLastError.KERNEL32 ref: 010283B9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CrackErrorInternetLast_memset
                                            • String ID: uriutil.cpp
                                            • API String ID: 2372571340-476456875
                                            • Opcode ID: 98912f00c813550e55bb7b71b476338ab87cf7e4cbae72916f330f32aee1dfd6
                                            • Instruction ID: 8545209ef02d2a776a33aaaec2445ef23bca9f71d3f8c3f98476087d9866669a
                                            • Opcode Fuzzy Hash: 98912f00c813550e55bb7b71b476338ab87cf7e4cbae72916f330f32aee1dfd6
                                            • Instruction Fuzzy Hash: 2261C275901238DBDB22DF59CC88ADDBBF4BB08704F4484EBE588A2211D7315BD98F95
                                            Function 01026894 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memset.LIBCMT ref: 010268A4
                                            • ShellExecuteExW.SHELL32(?), ref: 010268E2
                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 01026973
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseExecuteHandleShell_memset
                                            • String ID: <
                                            • API String ID: 1378689676-4251816714
                                            • Opcode ID: 35b79e3bbc8296b5af9d81c5d38d97a01ddb32b0fcc0942f9c5400348b180eef
                                            • Instruction ID: 2c0f2d5ae2949661693ed44c0c7681d4ef4ffed1bfdc550b53284e0a021cb239
                                            • Opcode Fuzzy Hash: 35b79e3bbc8296b5af9d81c5d38d97a01ddb32b0fcc0942f9c5400348b180eef
                                            • Instruction Fuzzy Hash: 9F318075A1023ADBDB50CFACC4446EDBBECEB04664F548096EDC5FB244DE3A8981CB90
                                            Function 010075CB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            • Failed to read next symbol., xrefs: 01007605
                                            • Failed to expect end symbol., xrefs: 01007636
                                            • Failed to parse expression., xrefs: 0100761F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memset
                                            • String ID: Failed to expect end symbol.$Failed to parse expression.$Failed to read next symbol.
                                            • API String ID: 2102423945-1316734955
                                            • Opcode ID: fb62c1a4090d900fe50b00a4ee36779fbe25b39db632409f0fa2f68fdc0cb32f
                                            • Instruction ID: 9fb85469b881074e3f681ebde8ab788f03c672c06162c8cb8a2b842f115ce8d9
                                            • Opcode Fuzzy Hash: fb62c1a4090d900fe50b00a4ee36779fbe25b39db632409f0fa2f68fdc0cb32f
                                            • Instruction Fuzzy Hash: 7D1193B2901119BBEB12FAA8DD81DDFB7ACAB54644F00012AF982B7181E6346F0187D0
                                            Function 00FF8E6B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,?,000000FF,?,00000000,00000030,00FF9837,?,00FFADF8,?,00000030,00000000,00000030), ref: 00FF8EA4
                                            • GetLastError.KERNEL32(?,00FFADF8,?,00000030,00000000,00000030,00FF9837,?,00FFB592,?,?,00000030), ref: 00FF8EDA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareErrorLastString
                                            • String ID: Failed to compare strings.$variable.cpp
                                            • API String ID: 1733990998-1686915864
                                            • Opcode ID: aa8a938414d6bc424bc53947f540c9189be63097ba8c710d0cc7e67a5ae32c46
                                            • Instruction ID: a2cbe0566a20c18bfde385374b188526b784f47a3fa68b54d2341ceba408b3de
                                            • Opcode Fuzzy Hash: aa8a938414d6bc424bc53947f540c9189be63097ba8c710d0cc7e67a5ae32c46
                                            • Instruction Fuzzy Hash: DF21DB73E0522AEBCB208F99C841E6AB7A4EF457B0F214255F955EB1E0DA70DE01D7D0
                                            Function 0101F79A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60filestringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,?,0101F98C,?,?,?,00000000,0000FDE9), ref: 0101F7AC
                                            • WriteFile.KERNEL32(00000000,00000000,0000FDE9,00000000,?,?,0101F98C,?,?,?,00000000,0000FDE9), ref: 0101F7EE
                                            • GetLastError.KERNEL32(?,?,0101F98C,?,?,?,00000000,0000FDE9), ref: 0101F7F8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWritelstrlen
                                            • String ID: logutil.cpp
                                            • API String ID: 606256338-3545173039
                                            • Opcode ID: 341a31ded9ea7387fedc6640920dbef3eff28a4e8783da4c6b03b0d21794ea02
                                            • Instruction ID: 7727a1d09fecc6ca55006a7084b2a1bcc3d9c014fa8c0ac43fa960fa31ee0b9a
                                            • Opcode Fuzzy Hash: 341a31ded9ea7387fedc6640920dbef3eff28a4e8783da4c6b03b0d21794ea02
                                            • Instruction Fuzzy Hash: FC11C671300217BF97205EA998C4AAB7FACEF05764B500139FD84D6049E779E90887A0
                                            Function 01021AD4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FormatMessageW.KERNEL32(000011FF,00000000,00000000,00000000,00000000,00000000,?,00000001,00000000,?,?,?,01006042,00000000,00000000,00000000), ref: 01021B06
                                            • GetLastError.KERNEL32(?,?,?,01006042,00000000,00000000,00000000,00000000,?,?,0100201E,?,?,80070656,00000001,?), ref: 01021B13
                                            • LocalFree.KERNEL32(00000000,?,00000000,00000000,?,?,?,01006042,00000000,00000000,00000000,00000000,?,?,0100201E,?), ref: 01021B5A
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFormatFreeLastLocalMessage
                                            • String ID: strutil.cpp
                                            • API String ID: 1365068426-3612885251
                                            • Opcode ID: 9b4f6b7c124de9311f0117326a1947d2915bf901fa2b43d068df46cd500a61b9
                                            • Instruction ID: 5d8a2d0ea6a2dcaae33239834353a03db07ef11c083ea6d4c438b7d59cd57afa
                                            • Opcode Fuzzy Hash: 9b4f6b7c124de9311f0117326a1947d2915bf901fa2b43d068df46cd500a61b9
                                            • Instruction Fuzzy Hash: 6311A172900125FFDB229F89CC088EEBBB9FB40350F2041A9F941E2100F6759E00DB60
                                            Function 0102642B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 50fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,?,00000000,?,01010D9D,00000000,?,?,BundleCachePath,00000000), ref: 01026461
                                            • GetLastError.KERNEL32(?,01010D9D,00000000,?,?,BundleCachePath,00000000,?,BundleVersion,?,?,EngineVersion,?,00000000), ref: 0102646E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CreateErrorFileLast
                                            • String ID: fileutil.cpp
                                            • API String ID: 1214770103-2967768451
                                            • Opcode ID: 8468d72e27b221c0a6813f560ebdc8145dfd8aa7c2acfa201b8fb1a85c4e965c
                                            • Instruction ID: 4b8c9ea44c98021190488f180df9ef73471739611ebd0fe4fba29a067acd6db8
                                            • Opcode Fuzzy Hash: 8468d72e27b221c0a6813f560ebdc8145dfd8aa7c2acfa201b8fb1a85c4e965c
                                            • Instruction Fuzzy Hash: 4E01A232680231B7D73129A8AC49FBB76899B10B60F208224FED4EB1D0D9BAC90043E4
                                            Function 010255AD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(?), ref: 010255F2
                                            • SysFreeString.OLEAUT32(00000000), ref: 01025627
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: String$AllocFree
                                            • String ID: `<u$xmlutil.cpp
                                            • API String ID: 344208780-3482516102
                                            • Opcode ID: 7d3d1569fd950660cb479d6eb5d080929ae4f5e43f23600d9ee98dc949196901
                                            • Instruction ID: 578c2985ff2cf941f8a10eba122b4a6aaf45f576c8c95e42a9cf9864a797505f
                                            • Opcode Fuzzy Hash: 7d3d1569fd950660cb479d6eb5d080929ae4f5e43f23600d9ee98dc949196901
                                            • Instruction Fuzzy Hash: 3401627164023AA7DB315A699C08EFA37E9EF89661F154036FD84DB341EA74CC4086A8
                                            Function 010254B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(?), ref: 010254FB
                                            • SysFreeString.OLEAUT32(00000000), ref: 01025530
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: String$AllocFree
                                            • String ID: `<u$xmlutil.cpp
                                            • API String ID: 344208780-3482516102
                                            • Opcode ID: 33142d8a9eb013319918606bf9c9619edbad7badf227767339bda3979c966184
                                            • Instruction ID: 62a6a93d4a23c38dbf9cd3c74a9f8c4b0ec1e535b92c0bc7fc6513df98b2c731
                                            • Opcode Fuzzy Hash: 33142d8a9eb013319918606bf9c9619edbad7badf227767339bda3979c966184
                                            • Instruction Fuzzy Hash: F6016231740236B7DB315AA9AC08EBA77D9EF85661F15007AFD84DB341EA74D9008664
                                            Function 0100EE2A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47serviceCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ControlService.ADVAPI32(?,00000001,?,00000001,00000000,?,?,?,?,?,?,?,0100EFC5), ref: 0100EE4F
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,0100EFC5), ref: 0100EE59
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ControlErrorLastService
                                            • String ID: Failed to stop wusa service.$msuengine.cpp
                                            • API String ID: 4114567744-2259829683
                                            • Opcode ID: 1120de1b1ae1ad6c55448e733b53c48420a7d78b5fa5e89771698da0d0969aa8
                                            • Instruction ID: 2a6e2644c728c02d41d3746c3ff435cbb5ffa74b085b91abc2671db582fafc1c
                                            • Opcode Fuzzy Hash: 1120de1b1ae1ad6c55448e733b53c48420a7d78b5fa5e89771698da0d0969aa8
                                            • Instruction Fuzzy Hash: CDF0F933B04225A7E7319A65DC45AEF7BEC9F44B50F10006DF940FA184EA59990043D5
                                            Function 010028E6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00009002,00000000,?), ref: 0100290F
                                            • GetLastError.KERNEL32 ref: 01002919
                                            Strings
                                            • Failed to post elevate message., xrefs: 01002948
                                            • EngineForApplication.cpp, xrefs: 0100293E
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastMessagePostThread
                                            • String ID: EngineForApplication.cpp$Failed to post elevate message.
                                            • API String ID: 2609174426-4098423239
                                            • Opcode ID: 838b460c4c079f9e898a17a30838561d98744679c52091bf00bbad91b6bbd0a1
                                            • Instruction ID: f507c6783a8866da8a09d8174898ed92de33cd07fdd0de67e3eeb8a0965b2d1c
                                            • Opcode Fuzzy Hash: 838b460c4c079f9e898a17a30838561d98744679c52091bf00bbad91b6bbd0a1
                                            • Instruction Fuzzy Hash: EBF0C232740226AFE3321A588C0DF567798AB05BB0F264178FAD4AE1D1D669980187D4
                                            Function 00FFBB05 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(?,BootstrapperApplicationDestroy), ref: 00FFBB2C
                                            • FreeLibrary.KERNEL32(?,?,00FF18A2,?,?,?,?,00FF1E12,?), ref: 00FFBB3B
                                            • GetLastError.KERNEL32(?,00FF18A2,?,?,?,?,00FF1E12,?), ref: 00FFBB45
                                            Strings
                                            • BootstrapperApplicationDestroy, xrefs: 00FFBB26
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressErrorFreeLastLibraryProc
                                            • String ID: BootstrapperApplicationDestroy
                                            • API String ID: 1144718084-3186005537
                                            • Opcode ID: 6d5b57b33aa297e3195730f64580ec459a7498c76cc6a137eeb2cd5e197501c3
                                            • Instruction ID: 09988dc2afabf78d58783ceab3fc6859bda059d9d6eb14044bb50bbba2be87e3
                                            • Opcode Fuzzy Hash: 6d5b57b33aa297e3195730f64580ec459a7498c76cc6a137eeb2cd5e197501c3
                                            • Instruction Fuzzy Hash: 49F049327003069BD7305E6AD805F33B7ECAFC07A2B188429E695C7569DB6AE8009B60
                                            Function 01025551 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(?), ref: 01025566
                                            • SysFreeString.OLEAUT32(00000000), ref: 01025598
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: String$AllocFree
                                            • String ID: `<u$xmlutil.cpp
                                            • API String ID: 344208780-3482516102
                                            • Opcode ID: fd77f74795fc73dbda589fe5533d7c45391e3b85311b62dfa657751443f31c16
                                            • Instruction ID: 7a68c739b50510dffd25639ed474645fe0347fbee0f4cf22e8922e199827a760
                                            • Opcode Fuzzy Hash: fd77f74795fc73dbda589fe5533d7c45391e3b85311b62dfa657751443f31c16
                                            • Instruction Fuzzy Hash: 90F0BE32240234ABCB324E589C08E9A7BEAEF84A70B154129FD84EB210C679CD408BD4
                                            Function 0102545A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SysAllocString.OLEAUT32(00000000), ref: 0102546F
                                            • SysFreeString.OLEAUT32(00000000), ref: 010254A1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: String$AllocFree
                                            • String ID: `<u$xmlutil.cpp
                                            • API String ID: 344208780-3482516102
                                            • Opcode ID: 4ccedaba2aa0e31040b68ecd24e2fbca887f4ce8a2e3462207f9f3cab57f1e7b
                                            • Instruction ID: d98b65f844a7fbc8f7d73632b3104d5173d4e4bf35e69b7de01d07d8892ebb7a
                                            • Opcode Fuzzy Hash: 4ccedaba2aa0e31040b68ecd24e2fbca887f4ce8a2e3462207f9f3cab57f1e7b
                                            • Instruction Fuzzy Hash: D4F0B431740274ABD7715E589C08FAEB7E9AF80B75F154069FD849B210CB75CD108B94
                                            Function 0100295C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00009003,00000000,?), ref: 01002971
                                            • GetLastError.KERNEL32 ref: 0100297B
                                            Strings
                                            • EngineForApplication.cpp, xrefs: 010029A0
                                            • Failed to post apply message., xrefs: 010029AA
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastMessagePostThread
                                            • String ID: EngineForApplication.cpp$Failed to post apply message.
                                            • API String ID: 2609174426-1304321051
                                            • Opcode ID: 7f18eefeb9c335f79e94ee53010532e8dfb3c30db8e507e0003a36693256f4ed
                                            • Instruction ID: 3a1f84a797be94b2ef951ecbb56f973b887c7805bc6d8003bcc23804d0635326
                                            • Opcode Fuzzy Hash: 7f18eefeb9c335f79e94ee53010532e8dfb3c30db8e507e0003a36693256f4ed
                                            • Instruction Fuzzy Hash: 67F0A7326403326AD2321A99AC09E977F88DF14BA0F114124FD88EE190DA29D80087D4
                                            Function 010029BE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00009004,?,00000000), ref: 010029D3
                                            • GetLastError.KERNEL32 ref: 010029DD
                                            Strings
                                            • Failed to post shutdown message., xrefs: 01002A0C
                                            • EngineForApplication.cpp, xrefs: 01002A02
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastMessagePostThread
                                            • String ID: EngineForApplication.cpp$Failed to post shutdown message.
                                            • API String ID: 2609174426-188808143
                                            • Opcode ID: 7f11d9099811cb135624469cfacb74b1a004b3ba0d1601daf2eafe152ac1fe91
                                            • Instruction ID: 3cfc00375c78bc4ef3cc2226bf9d0608aa1e4e181ad7919a598c247f7e1aa49a
                                            • Opcode Fuzzy Hash: 7f11d9099811cb135624469cfacb74b1a004b3ba0d1601daf2eafe152ac1fe91
                                            • Instruction Fuzzy Hash: 01F0A7326452366BA37119999C09EA77F88AF01BB0F114135FA88EA1A1D619D90097D8
                                            Function 01002824 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00009000,00000000,00000000), ref: 01002837
                                            • GetLastError.KERNEL32 ref: 01002841
                                            Strings
                                            • Failed to post detect message., xrefs: 01002870
                                            • EngineForApplication.cpp, xrefs: 01002866
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastMessagePostThread
                                            • String ID: EngineForApplication.cpp$Failed to post detect message.
                                            • API String ID: 2609174426-598219917
                                            • Opcode ID: 9976f704476b711beba0b34a231677de9b8c0de413e896682556d3160c2820ec
                                            • Instruction ID: 5a063b0595643161650e46d5bdd211a5ae8adf95c3bb2c3db86faf0563bca1ee
                                            • Opcode Fuzzy Hash: 9976f704476b711beba0b34a231677de9b8c0de413e896682556d3160c2820ec
                                            • Instruction Fuzzy Hash: FDF0EC367463366AE331195A9C0DF977F8CDF10BA0F210138F984EA1D0D619D90087D8
                                            Function 01002884 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00009001,00000000,?), ref: 01002899
                                            • GetLastError.KERNEL32 ref: 010028A3
                                            Strings
                                            • Failed to post plan message., xrefs: 010028D2
                                            • EngineForApplication.cpp, xrefs: 010028C8
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastMessagePostThread
                                            • String ID: EngineForApplication.cpp$Failed to post plan message.
                                            • API String ID: 2609174426-2952114608
                                            • Opcode ID: fe24e30170b2e0151cbf223ef370627ce0e18b6d3b59f8b547c47ad9f86b7b27
                                            • Instruction ID: 32d91deaba777bba2d94fb0004547d1a1ddb48ddfcf68305580b8e3c2f9dbd33
                                            • Opcode Fuzzy Hash: fe24e30170b2e0151cbf223ef370627ce0e18b6d3b59f8b547c47ad9f86b7b27
                                            • Instruction Fuzzy Hash: 27F0A7327413366AE2321A599C0DE977F88EF10BA0F214024FD88EE1D1D629D90087E4
                                            Function 01016522 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(0578F685,00FF1D56,010167A7,00FF1D56,?,010106CE,00FF2222,00FF1E8E,?,00FFD890,?,00FF1D56,00FF1D9E,?,00FF1DDE,WixBundleElevated), ref: 01016528
                                            • GetLastError.KERNEL32(?,010106CE,00FF2222,00FF1E8E,?,00FFD890,?,00FF1D56,00FF1D9E,?,00FF1DDE,WixBundleElevated,00000000,00000000,00000001,00FF1DDE), ref: 01016532
                                            Strings
                                            • cabextract.cpp, xrefs: 01016557
                                            • Failed to set begin operation event., xrefs: 01016561
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorEventLast
                                            • String ID: Failed to set begin operation event.$cabextract.cpp
                                            • API String ID: 3848097054-4159625223
                                            • Opcode ID: 035523c054fa6701899daa9761d70be3cea92e7331c96fd493d358a39e0b47eb
                                            • Instruction ID: 48b507badd6505567a487bee4c05951b6ae6177e90727f9fba8ba17d13cc0ef3
                                            • Opcode Fuzzy Hash: 035523c054fa6701899daa9761d70be3cea92e7331c96fd493d358a39e0b47eb
                                            • Instruction Fuzzy Hash: 1EE0D873E416335B937129696C09BEA3AD89F10AA1B250178FDC5EB14CFA8FCC0043E5
                                            Function 0101EE2E Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0101EE62
                                            • __isleadbyte_l.LIBCMT ref: 0101EE95
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,00000000,00000000,?,?,?,?,?,00000000), ref: 0101EEC6
                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,00000000,00000000,?,?,?,?,?,00000000), ref: 0101EF34
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                            • String ID:
                                            • API String ID: 3058430110-0
                                            • Opcode ID: 35e26ee734a987c7147c2205e352b5236f1bce85d90cc1357d3e04daf3affb99
                                            • Instruction ID: 6d2f004d6c55e952cac9bde4d5f8d17952d10c16f9e8849328385d5564465272
                                            • Opcode Fuzzy Hash: 35e26ee734a987c7147c2205e352b5236f1bce85d90cc1357d3e04daf3affb99
                                            • Instruction Fuzzy Hash: 5531E331A00296EFEB22DF68C8809BE7FE5BF01320F1445A9F9E48B1A9D734D940CB50
                                            Function 00FF1226 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 67COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00FF587B: RegCloseKey.ADVAPI32(00000000,?,?,00000001,00000000,?,?,?,00FF1245,?,?,00000000), ref: 00FF58CB
                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,00000000,?,?,00000000,?,?,?,?), ref: 00FF12AC
                                            Strings
                                            • Failed to get current process path., xrefs: 00FF1262
                                            • Unable to get resume command line from the registry, xrefs: 00FF124B
                                            • Failed to re-launch bundle process after RunOnce: %ls, xrefs: 00FF1296
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Close$Handle
                                            • String ID: Failed to get current process path.$Failed to re-launch bundle process after RunOnce: %ls$Unable to get resume command line from the registry
                                            • API String ID: 187904097-642631345
                                            • Opcode ID: 3d49da573d7b1d7d0f9e7bd0b160dcb33137cefc25f1ab35962f12b9cabd6233
                                            • Instruction ID: 3a27d7b33d11c7e88f9cd95fc7cb9d46d2fef3ab05a20d6ab07c535f06c0a248
                                            • Opcode Fuzzy Hash: 3d49da573d7b1d7d0f9e7bd0b160dcb33137cefc25f1ab35962f12b9cabd6233
                                            • Instruction Fuzzy Hash: 18114F72D0052CFACF12ABD5DC418FEFBB9AF60710B248156FA51B6124E6354F41EB40
                                            Function 00FFA4DA Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,00000000,00000000,?,?,010098BD,?,WixBundleOriginalSource,?,00000000,?,?,00000001,?,?,00000001), ref: 00FFA4E8
                                            • LeaveCriticalSection.KERNEL32(?,00000000,00000000,?,?,010098BD,?,WixBundleOriginalSource,?,00000000,?,?,00000001,?,?,00000001), ref: 00FFA54A
                                            Strings
                                            • Failed to get value of variable: %ls, xrefs: 00FFA51F
                                            • Failed to get value as string for variable: %ls, xrefs: 00FFA53B
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls
                                            • API String ID: 3168844106-2100416246
                                            • Opcode ID: e6853c63376c5603502b2a6adba65ec35f5197109dba21fa125bb3bef54ee18a
                                            • Instruction ID: 55cd20a9969ed96ea0173a0e52f5d7f256ca08c14c1b358530c85385c67aab96
                                            • Opcode Fuzzy Hash: e6853c63376c5603502b2a6adba65ec35f5197109dba21fa125bb3bef54ee18a
                                            • Instruction Fuzzy Hash: 140184B690022DFBCB215F54CC45AAE7768AF00364F284514FE08AB220D679DA0067A2
                                            Function 00FFA45C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 00FFA46A
                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00FFA4CC
                                            Strings
                                            • Failed to get value as numeric for variable: %ls, xrefs: 00FFA4BD
                                            • Failed to get value of variable: %ls, xrefs: 00FFA4A1
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                                            • API String ID: 3168844106-4270472870
                                            • Opcode ID: ff5b58de8f3ecbfd85b333439077948ae2bc575453aaac930189fda88152be90
                                            • Instruction ID: 4a16bf2f168ec8aa022e2e3accf72c437c228a0b30be82a3b037ded150d2ccd7
                                            • Opcode Fuzzy Hash: ff5b58de8f3ecbfd85b333439077948ae2bc575453aaac930189fda88152be90
                                            • Instruction Fuzzy Hash: 470184B2A4123DBBCB21DF54CC48AAF7758AF14765F208151FE0CAB230C6B99D1067E1
                                            Function 00FFA558 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 00FFA566
                                            • LeaveCriticalSection.KERNEL32(?,?,00000000), ref: 00FFA5C8
                                            Strings
                                            • Failed to get value of variable: %ls, xrefs: 00FFA59D
                                            • Failed to get value as version for variable: %ls, xrefs: 00FFA5B9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                                            • API String ID: 3168844106-1851729331
                                            • Opcode ID: 6fe073ed16f1d5ba25bb1729568f8e3fc183e8227f6ef2956a58756cef9daf74
                                            • Instruction ID: 2a0abd4bc6386c558484d77ad28e55856658c49fbeda406b8253662a380197b0
                                            • Opcode Fuzzy Hash: 6fe073ed16f1d5ba25bb1729568f8e3fc183e8227f6ef2956a58756cef9daf74
                                            • Instruction Fuzzy Hash: 5C0184B394123DBBCB215FA4CC44AAE7768AF10365F184150FE09AA224C639DA00A7A1
                                            Function 01019A59 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetEnvironmentStringsW.KERNEL32(00000000,0101840C), ref: 01019A5C
                                            • __malloc_crt.LIBCMT ref: 01019A8B
                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01019A98
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: EnvironmentStrings$Free__malloc_crt
                                            • String ID:
                                            • API String ID: 237123855-0
                                            • Opcode ID: bfdfed3bde531ee1b7e12364b242e347aa0aca65794e79e34d95f44c61f76674
                                            • Instruction ID: 3c6e025eb25701ca17ef5200fe48a0ffb0b1e2447687b08f67d19907989110a9
                                            • Opcode Fuzzy Hash: bfdfed3bde531ee1b7e12364b242e347aa0aca65794e79e34d95f44c61f76674
                                            • Instruction Fuzzy Hash: 9CF02E775041115B8F767A78BC5589B7B6CDBC215D31A4457F4C2C310CFA288A4983E0
                                            Function 00FFA5D6 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,0100700D,?,?,?,?,?,?,010074FC,?,?,?), ref: 00FFA5E4
                                            • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,0100700D,?,?,?,?,?,?,010074FC,?,?,?), ref: 00FFA635
                                            Strings
                                            • Failed to get value of variable: %ls, xrefs: 00FFA607
                                            • Failed to copy value of variable: %ls, xrefs: 00FFA626
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                                            • API String ID: 3168844106-2936390398
                                            • Opcode ID: 96e7a16319ef3cff260ea5dd1e9d6c889045322edabf3130ce5de82ab21e0407
                                            • Instruction ID: 8f859cd2c67abf214a948abe5d0d4feb1b1ca73270ea0403cea3085487bee190
                                            • Opcode Fuzzy Hash: 96e7a16319ef3cff260ea5dd1e9d6c889045322edabf3130ce5de82ab21e0407
                                            • Instruction Fuzzy Hash: A1F0C2B294122DBBCB116F94CC49E9FBB6CEF14365F248510FE05F6210C63ADA10A7A5
                                            Function 01018E8C Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • _malloc.LIBCMT ref: 01018EA6
                                              • Part of subcall function 0101BB70: __FF_MSGBANNER.LIBCMT ref: 0101BB89
                                              • Part of subcall function 0101BB70: __NMSG_WRITE.LIBCMT ref: 0101BB90
                                              • Part of subcall function 0101BB70: HeapAlloc.KERNEL32(00000000,00000001,00000001,00000000,00000000,?,0101C627,00000000,00000001,00000000,?,0101BDD6,00000018,01043420,0000000C,0101BE66), ref: 0101BBB5
                                            • std::exception::exception.LIBCMT ref: 01018EDB
                                            • std::exception::exception.LIBCMT ref: 01018EF5
                                            • __CxxThrowException@8.LIBCMT ref: 01018F06
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: std::exception::exception$AllocException@8HeapThrow_malloc
                                            • String ID:
                                            • API String ID: 1414122017-0
                                            • Opcode ID: 3376739a2e7b044ce1a40a38f160b52cbb5233dbcb575e211d39704028b462ee
                                            • Instruction ID: d8860a76bfe080b3b02a453c2fbec28b6d777cc21fe0afe6f8de6d6d8458a239
                                            • Opcode Fuzzy Hash: 3376739a2e7b044ce1a40a38f160b52cbb5233dbcb575e211d39704028b462ee
                                            • Instruction Fuzzy Hash: D3F0F47990020AEBCB24EB58ED40ADD3AF8AF41704F00409AF9C0A6098CFB99B41C791
                                            Function 01023F7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000), ref: 010240E2
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseOpen
                                            • String ID: regutil.cpp
                                            • API String ID: 47109696-955085611
                                            • Opcode ID: 278df0a5c7027d755190d1497cdabf5b1615bb074a415ece9d5a77d3e62b3c17
                                            • Instruction ID: 3bc50560645ea18c1e250b52bd1eb8f7802660eb17000e97587037b2b78114cc
                                            • Opcode Fuzzy Hash: 278df0a5c7027d755190d1497cdabf5b1615bb074a415ece9d5a77d3e62b3c17
                                            • Instruction Fuzzy Hash: 0E412776D0013AEBDF619E98CC80BAEBAF6AF84310F154169FA91E7150DB7EC9909740
                                            Function 010237DF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 01023850
                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 01023889
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: QueryValue
                                            • String ID: regutil.cpp
                                            • API String ID: 3660427363-955085611
                                            • Opcode ID: f76a0314bb7fa12187b0d825b98d26a85bc07e81530b44230e34fe44f809ba57
                                            • Instruction ID: 28556bec6bac66277c62d55d3315cf788e9e32cfc72d69aec546bae0370f4392
                                            • Opcode Fuzzy Hash: f76a0314bb7fa12187b0d825b98d26a85bc07e81530b44230e34fe44f809ba57
                                            • Instruction Fuzzy Hash: D5411271E0026AEFDF109F98CC859AEBBF9FF08204F10496AEA91DA150D3B59654CB50
                                            Function 01025DFA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNEL32(?,?,?,?,00000000,00000000,75C0B390,00000000,?,01007FDD,?,?,?,00000000,00000000,?), ref: 01025E96
                                            • GetLastError.KERNEL32(?,01007FDD,?,?,?,00000000,00000000,?,00000000,00000000,00000000,00000000,?,00FF130D,?,?), ref: 01025F0D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastRead
                                            • String ID: fileutil.cpp
                                            • API String ID: 1948546556-2967768451
                                            • Opcode ID: 1520d899936ce5ab25f62001bc9b9168d9d3414fcfbb3f4afad50d53d6556d34
                                            • Instruction ID: cd7efd3c60622c2349b7d7102143e9125caa34908a66deb1894cae9055136c9c
                                            • Opcode Fuzzy Hash: 1520d899936ce5ab25f62001bc9b9168d9d3414fcfbb3f4afad50d53d6556d34
                                            • Instruction Fuzzy Hash: 5E317E71900169DBEF36CF18CD407DDBBB8AB48301F14C0EAE589A6100E6B49AC48F55
                                            Function 01021817 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                            Download Yara Rule
                                            APIs
                                            • _memmove.LIBCMT ref: 010218B7
                                            • _memmove.LIBCMT ref: 010218C2
                                              • Part of subcall function 0102293A: GetProcessHeap.KERNEL32(00000000,?,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000), ref: 01022942
                                              • Part of subcall function 0102293A: HeapSize.KERNEL32(00000000,?,01020E95,?,?,00000000,00000000,?,?,?,0101FD73,?,?,00000000,00000000,?), ref: 01022949
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: Heap_memmove$ProcessSize
                                            • String ID: W
                                            • API String ID: 3606272560-655174618
                                            • Opcode ID: f8cad168358a3cbd509edd30e23fbcf2136698108d57d8aad7bf8aae5303dd7e
                                            • Instruction ID: 56b5c57cca9b840fa6983a4e164f1b72dcc49aff5058b23985dabeba0330d3b4
                                            • Opcode Fuzzy Hash: f8cad168358a3cbd509edd30e23fbcf2136698108d57d8aad7bf8aae5303dd7e
                                            • Instruction Fuzzy Hash: 3C215871A0031AFBEB11DFA9DCC0DEF77F9EF44254B104669E99097184EB75DA048760
                                            Function 01021F87 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: _memmove_s
                                            • String ID: \\?\$\\?\UNC
                                            • API String ID: 800865076-2523517826
                                            • Opcode ID: 59c94bed5d599a8dd1b123bb0091ed11a155853483d0db14e27f0fca0b88c9c2
                                            • Instruction ID: 141c91b30c1c7dccb0258e3cd22fae9799b106af4246820bbead8952e7d811fc
                                            • Opcode Fuzzy Hash: 59c94bed5d599a8dd1b123bb0091ed11a155853483d0db14e27f0fca0b88c9c2
                                            • Instruction Fuzzy Hash: A8113B72300220F5E6725A49EC81FFB7799EB64F30F804026F6D94E081E3B661C1C365
                                            Function 00FF40C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(00000000,00000000,00000000,000000FF,?,000000FF,IGNOREDEPENDENCIES,00000000,?,?,?,0100FF26,00000000,IGNOREDEPENDENCIES,00000000,?), ref: 00FF4116
                                            Strings
                                            • Failed to copy the property value., xrefs: 00FF4146
                                            • IGNOREDEPENDENCIES, xrefs: 00FF40D2
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CompareString
                                            • String ID: Failed to copy the property value.$IGNOREDEPENDENCIES
                                            • API String ID: 1825529933-1412343224
                                            • Opcode ID: 305fe8c6806e2106e6954f1b3712af11c82e02ab61b887ff5f6498efbe4a1646
                                            • Instruction ID: 6886fa2a8b2f395671d770be979ae9d201a5eed697b83cd7a72ef9e6772ef4e5
                                            • Opcode Fuzzy Hash: 305fe8c6806e2106e6954f1b3712af11c82e02ab61b887ff5f6498efbe4a1646
                                            • Instruction Fuzzy Hash: D411BF3690421DEFCF218F54C884ABF77A9EF14370F22416AEA29A7260C7307D90EB50
                                            Function 01001BC4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            • RegCloseKey.ADVAPI32(?,SOFTWARE\Policies\Microsoft\Windows\Installer,00020019,?,00000001,?,?,?,01001F22,00000000,?,?,?), ref: 01001C51
                                              • Part of subcall function 010237DF: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,80070002,80070003,00000000,00000000,00000000), ref: 01023850
                                              • Part of subcall function 010237DF: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 01023889
                                            Strings
                                            • Logging, xrefs: 01001BF2
                                            • SOFTWARE\Policies\Microsoft\Windows\Installer, xrefs: 01001BD3
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: QueryValue$CloseOpen
                                            • String ID: Logging$SOFTWARE\Policies\Microsoft\Windows\Installer
                                            • API String ID: 1586453840-387823766
                                            • Opcode ID: 3d0f6bef285ee8fa7635bc7069403df451c9160db3fd2a82a834ea4769408272
                                            • Instruction ID: c609604ffbe28e3e959232ddafb6490c4b25bb59e086eeef86d2de0df6cc08e8
                                            • Opcode Fuzzy Hash: 3d0f6bef285ee8fa7635bc7069403df451c9160db3fd2a82a834ea4769408272
                                            • Instruction Fuzzy Hash: 1F11A571A4071DFAFB329B84CE02EAEBBF8EB90701F908095E6C1A6090D371DB819610
                                            Function 00FFC160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 00FFC179
                                            • CoUninitialize.OLE32(?,?,?,?,?,?), ref: 00FFC1DC
                                            Strings
                                            • Failed to initialize COM on cache thread., xrefs: 00FFC186
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: InitializeUninitialize
                                            • String ID: Failed to initialize COM on cache thread.
                                            • API String ID: 3442037557-3629645316
                                            • Opcode ID: a57ef5e431e2b9300a872f82ec4362ee494fc2982ed1b6023952fb63a9030301
                                            • Instruction ID: 565cc47da19b853637eb8b87aa79f4d9ad2fdf182304b2cda366586a66ca7163
                                            • Opcode Fuzzy Hash: a57ef5e431e2b9300a872f82ec4362ee494fc2982ed1b6023952fb63a9030301
                                            • Instruction Fuzzy Hash: B10161B2500219BFCB109F95D844EEB77FCEF04358F10802AFA49D7111DA35A954DBA0
                                            Function 01026AAB Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,?,?,?,00000000,?,?,?,01026B57,?), ref: 01026B19
                                              • Part of subcall function 01023BAC: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000105,00000000,00000000,?,?,?,?,00FF565B,00000000,Installed,00000000,?), ref: 01023BD1
                                            Strings
                                            • EnableLUA, xrefs: 01026AEB
                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 01026AC9
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseOpenQueryValue
                                            • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                            • API String ID: 3677997916-3551287084
                                            • Opcode ID: 8d8c666d0110af09ea915e4b1ffb9fb517bf145fe2e3ffa815f314de949e894b
                                            • Instruction ID: 133a1d2befc7d0950e7e897612a06fe0124978a90460379d6c4ee0aab55a2f71
                                            • Opcode Fuzzy Hash: 8d8c666d0110af09ea915e4b1ffb9fb517bf145fe2e3ffa815f314de949e894b
                                            • Instruction Fuzzy Hash: 1901FC72600224FFD712DF68C895A9DBBF9EB89710F1044B5EA49E7100E6724A80D750
                                            Function 01021CAD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                            Download Yara Rule
                                            APIs
                                            • LCMapStringW.KERNEL32(0000007F,?,?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,01021D5C,00000000,?,00000200), ref: 01021CF1
                                            • GetLastError.KERNEL32(?,01021D5C,00000000,?,00000200,?,0102744D,00000000,00000000,00000000,00000000,?,00000000,?,01027829,00000000), ref: 01021CFB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorLastString
                                            • String ID: strutil.cpp
                                            • API String ID: 3728238275-3612885251
                                            • Opcode ID: d54c55a33ec2a8a44884be21c96e86f1ccbe602259ab588cf893362465f43bce
                                            • Instruction ID: aae4ec76b56a3d5007ea7ad6527f2e92348d10ed280cea336542017918839283
                                            • Opcode Fuzzy Hash: d54c55a33ec2a8a44884be21c96e86f1ccbe602259ab588cf893362465f43bce
                                            • Instruction Fuzzy Hash: 8E01713620012AF7DB222E558C04F9A7FA9EF91770F254025FEA88B250EB36D5109760
                                            Function 00FF9F64 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(?), ref: 00FF9F79
                                              • Part of subcall function 0102057A: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process,00000000,?,?,00FF9127,00000000), ref: 0102058E
                                              • Part of subcall function 0102057A: GetProcAddress.KERNEL32(00000000), ref: 01020595
                                              • Part of subcall function 0102057A: GetLastError.KERNEL32(?,?,00FF9127,00000000), ref: 010205AC
                                              • Part of subcall function 00FF9B01: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00FF9B87
                                            Strings
                                            • Failed to get 64-bit folder., xrefs: 00FF9F9C
                                            • Failed to set variant value., xrefs: 00FF9FB5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                            • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                                            • API String ID: 3109562764-2681622189
                                            • Opcode ID: 2301e60d39af1e37abe8362708cf6177992a5e2dcb193602efbbd6e421a8e1bf
                                            • Instruction ID: 460f22c681a37d6549967d9195d2d6f2fde88a2d40ed3c8439238efb4c962cf5
                                            • Opcode Fuzzy Hash: 2301e60d39af1e37abe8362708cf6177992a5e2dcb193602efbbd6e421a8e1bf
                                            • Instruction Fuzzy Hash: 7D01F27280822CFE8B21ABA5DC00CEEFABCDF90320B208156F940E2164E2B54F00A650
                                            Function 0102202C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleFileNameW.KERNEL32(00FF213E,?,00000104,?,00000104,?,00000000,?,?,00FF213E,?,00000000,?,?,?,76EEC3F0), ref: 0102204D
                                            • GetLastError.KERNEL32(?,00FF213E,?,00000000,?,?,?,76EEC3F0,?,00000000), ref: 01022064
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastModuleName
                                            • String ID: pathutil.cpp
                                            • API String ID: 2776309574-741606033
                                            • Opcode ID: 505b25963c0ec053d72d900992d92232c5d79080af1c6beff25e1bf04c3acb6a
                                            • Instruction ID: dd7d18911569466c132ccf3ed35c99bfd21d866cf11025620c3b244c394f1a14
                                            • Opcode Fuzzy Hash: 505b25963c0ec053d72d900992d92232c5d79080af1c6beff25e1bf04c3acb6a
                                            • Instruction Fuzzy Hash: 43F0C2726402366BE3311A9A9CC4E7BBA5EAF11BA0B110175FA84DB112D76EDC04C6E0
                                            Function 00FF719E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 01023D9A: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,01027ABC,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 01023DAE
                                            • RegCloseKey.ADVAPI32(00000000,00000000,00000000,?,?,00020006,00000000,00000000,00000001,?,?,01011E8F,000000F9,00000000,000000B9,00000000), ref: 00FF71F5
                                            Strings
                                            • Failed to update resume mode., xrefs: 00FF71DF
                                            • Failed to open registration key., xrefs: 00FF71C5
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseOpen
                                            • String ID: Failed to open registration key.$Failed to update resume mode.
                                            • API String ID: 47109696-3366686031
                                            • Opcode ID: 58a02336672bb99867b098630cd6717949c8f02b82ae26c416376bfd734f9c5b
                                            • Instruction ID: bd1e5bb1b32792db0ffe564af8857ebdbdf109c645b348111874626bb6210c04
                                            • Opcode Fuzzy Hash: 58a02336672bb99867b098630cd6717949c8f02b82ae26c416376bfd734f9c5b
                                            • Instruction Fuzzy Hash: 7FF0C233644329FBCB22AAA4DC05FEAB7B9DF85765F300029FA41E6150DA74EA04A610
                                            Function 01025CB9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00FF2787,?,?,?,00000000,00000000), ref: 01025CD1
                                            • GetLastError.KERNEL32(?,?,?,00FF2787,?,?,?,00000000,00000000,?,?,?,76EEC3F0,?,00000000), ref: 01025CDB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastSize
                                            • String ID: fileutil.cpp
                                            • API String ID: 464720113-2967768451
                                            • Opcode ID: ee188e75c723c6cb9db57989e991bcd5f4ea8b0d514a6dc6523972fce98085b8
                                            • Instruction ID: 7917610e1bbbdc9ad3f10dc7b0f45fc545bf77a2967671603353b1adc5aff0cc
                                            • Opcode Fuzzy Hash: ee188e75c723c6cb9db57989e991bcd5f4ea8b0d514a6dc6523972fce98085b8
                                            • Instruction Fuzzy Hash: 97F062B6610215AFD7209F69CC05EEEBBE8EF84721B214029F9D9D7200F675E9058B64
                                            Function 010281D9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HttpQueryInfoW.WININET(?,?,00000001,?,00000000), ref: 01028202
                                            • GetLastError.KERNEL32(?,?,?,01017201,00000000,00000013,00000000,?,?,?,0101747C,00000000,?,00000000,?,00000000), ref: 0102820C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHttpInfoLastQuery
                                            • String ID: inetutil.cpp
                                            • API String ID: 4218848986-2900720265
                                            • Opcode ID: af7d62ee2c05a071e60c5da7ef8e69a108126fc65987149328a49420cd69573c
                                            • Instruction ID: 2b99a688c15c35abca07e05d7b30c0ead0d5bb07a71d002a5314995d900903b2
                                            • Opcode Fuzzy Hash: af7d62ee2c05a071e60c5da7ef8e69a108126fc65987149328a49420cd69573c
                                            • Instruction Fuzzy Hash: EFF062B2610126BBE7209F95DC45FAA7BACEF01760F118165FD40E6104E679DA0487A0
                                            Function 01010723 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(00FFFF24,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12,00000000,?,00FF1E22,02BB4868,00FF1E22,?,?), ref: 01010754
                                            • _memset.LIBCMT ref: 01010766
                                              • Part of subcall function 01016101: SetEvent.KERNEL32(0578F685,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12,00000000), ref: 01016122
                                              • Part of subcall function 01016101: GetLastError.KERNEL32(?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12,00000000,?,00FF1E22,02BB4868), ref: 0101612C
                                              • Part of subcall function 01016101: CloseHandle.KERNEL32(F08B8007,00000000,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12), ref: 010161C8
                                              • Part of subcall function 01016101: CloseHandle.KERNEL32(0578F685,00000000,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12), ref: 010161D5
                                              • Part of subcall function 01016101: CloseHandle.KERNEL32(004005BE,00000000,00FF2222,00FF1E22,?,?,01010739,00FF2222,00000000,00FF1AAE,?,00FFD984,?,00FF1AAE,00FF1E12,00FF1E12), ref: 010161E2
                                            Strings
                                            • Failed to close cabinet., xrefs: 0101073F
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: CloseHandle$ErrorEventLast_memset
                                            • String ID: Failed to close cabinet.
                                            • API String ID: 1352847294-2920093955
                                            • Opcode ID: bc18a489449bb562fa64618c6672a803b57fdf23827c52048de8c974ff484991
                                            • Instruction ID: 32ed1d8aa367fbeb10b1fad12affc2a7817849781366f4dc9eb27c3223683ca8
                                            • Opcode Fuzzy Hash: bc18a489449bb562fa64618c6672a803b57fdf23827c52048de8c974ff484991
                                            • Instruction Fuzzy Hash: CAF05432700A0527D232291D9C45D4B37DC9FD1270F200319FAE8E32C9DF2EE4420664
                                            Function 01027FF2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37networkCOMMON
                                            Download Yara Rule
                                            APIs
                                            • HttpQueryInfoW.WININET(00000000,20000005,00000000,00000000,00000000), ref: 01028011
                                            • GetLastError.KERNEL32(?,?,010175A4,?,?,00000000,000000FF,?,00000000,HEAD,00000000,00000000,?,00000000,?,?), ref: 0102801B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: ErrorHttpInfoLastQuery
                                            • String ID: inetutil.cpp
                                            • API String ID: 4218848986-2900720265
                                            • Opcode ID: a5a050a11f8588601f823c6f87311366bd9f670f231f61da64bea11c71ca4854
                                            • Instruction ID: f0ebb04bed456c2d6defd7a3570bd25e75f6b146872eb888ce3073942b643d70
                                            • Opcode Fuzzy Hash: a5a050a11f8588601f823c6f87311366bd9f670f231f61da64bea11c71ca4854
                                            • Instruction Fuzzy Hash: A5F06276601225ABD7618F95C889FAB7BD8EF00794F00C025FD45DB244E779DA0487E4
                                            Function 01025B4A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0102596E: SysAllocString.OLEAUT32(?), ref: 01025981
                                              • Part of subcall function 0102596E: VariantInit.OLEAUT32(?), ref: 0102598D
                                              • Part of subcall function 0102596E: VariantClear.OLEAUT32(?), ref: 01025A01
                                              • Part of subcall function 0102596E: SysFreeString.OLEAUT32(00000000), ref: 01025A0C
                                            • _wcstoul.LIBCMT ref: 01025B72
                                              • Part of subcall function 0102910F: wcstoxl.LIBCMT ref: 0102911F
                                            • SysFreeString.OLEAUT32(00000000), ref: 01025B88
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: String$FreeVariant$AllocClearInit_wcstoulwcstoxl
                                            • String ID: `<u
                                            • API String ID: 935627439-3367579956
                                            • Opcode ID: cb2f810bda4902ccb5faa5580536b4768e149574e383ffe2d9191278ee1dfa30
                                            • Instruction ID: 67d6e098cdef492e4c7d50bc52be23804a2885f38ebe263890596d5d86e32e81
                                            • Opcode Fuzzy Hash: cb2f810bda4902ccb5faa5580536b4768e149574e383ffe2d9191278ee1dfa30
                                            • Instruction Fuzzy Hash: 3AF01C32901229FBDF129F94DD09BDDBBB9EF44724F204064ED42A6160D7769F20EB98
                                            Function 0101A89A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • DecodePointer.KERNEL32(?,0101A8D3,00000000,00000000,00000000,00000000,00000000,0101C611,?,010195B7,00000003,0101BB8E,00000001,00000000,00000000), ref: 0101A8A5
                                            • __invoke_watson.LIBCMT ref: 0101A8C1
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: DecodePointer__invoke_watson
                                            • String ID: PNv
                                            • API String ID: 4034010525-4070351811
                                            • Opcode ID: 8c3a57f69dd665aaaf76e26ccec52af170afd6825cbb45d3fd7653f912dd83b4
                                            • Instruction ID: 17ef5379e15e666627c8907ecdfae9ea6247668946a7a345757e78ebb27195ef
                                            • Opcode Fuzzy Hash: 8c3a57f69dd665aaaf76e26ccec52af170afd6825cbb45d3fd7653f912dd83b4
                                            • Instruction Fuzzy Hash: 7DE0E671100149FBDF151E65DD048AA7F66EF54250B544460FD5485024E73BC872DB54
                                            Function 0102376A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0102303C: _memset.LIBCMT ref: 01023063
                                              • Part of subcall function 0102303C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 01023078
                                              • Part of subcall function 0102303C: LoadLibraryW.KERNELBASE(?,?,00000104,00FF1C3B), ref: 010230C6
                                              • Part of subcall function 0102303C: GetLastError.KERNEL32 ref: 010230D2
                                            • GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 0102378B
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000B.00000002.4824907435.0000000000FF1000.00000020.00000001.01000000.00000008.sdmp, Offset: 00FF0000, based on PE: true
                                            • Associated: 0000000B.00000002.4824851572.0000000000FF0000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825000271.000000000102B000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825092911.0000000001046000.00000004.00000001.01000000.00000008.sdmpDownload File
                                            • Associated: 0000000B.00000002.4825170925.000000000104C000.00000002.00000001.01000000.00000008.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_11_2_ff0000_vcredist_2013_x64.jbxd
                                            Similarity
                                            • API ID: AddressDirectoryErrorLastLibraryLoadProcSystem_memset
                                            • String ID: AdvApi32.dll$RegDeleteKeyExW
                                            • API String ID: 2769571726-850864035
                                            • Opcode ID: 210e90b7463829d2316b62de8cd01dee26b4a6b28d7b3baf2450438587d541ee
                                            • Instruction ID: f6e34c1d679bae711de374cfcab8f0dafb46b5f6b21e6cc599c1aee892539eac
                                            • Opcode Fuzzy Hash: 210e90b7463829d2316b62de8cd01dee26b4a6b28d7b3baf2450438587d541ee
                                            • Instruction Fuzzy Hash: D8E08CF56012219BC730AF17FAC47463BA0B709B45B5202B9E5C09F218C3FF9C848B81

                                            Executed Functions

                                            Function 00041700 Relevance: 45.8, APIs: 23, Strings: 3, Instructions: 313fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 619 41700-41770 call 70ec0 * 2 GetFileAttributesW 624 417a4-417a7 619->624 625 41772-41779 GetLastError 619->625 626 417ad-417b0 624->626 627 41ae9 624->627 628 4177e-41780 625->628 629 4177b-4177d 625->629 633 417b2-417c5 SetFileAttributesW 626->633 634 417e9-417f0 626->634 632 41aee-41af7 627->632 630 41782-4178b 628->630 631 4178d 628->631 629->628 630->631 631->624 637 4178f-41790 631->637 638 41b00-41b07 632->638 639 41af9-41afa FindClose 632->639 633->634 640 417c7-417cd GetLastError 633->640 635 417f2-417f6 634->635 636 417fc-41802 634->636 635->636 641 41a99 635->641 636->641 642 41808-4180c 636->642 643 41795-4179f call 413b3 637->643 644 41b14-41b24 call 70093 638->644 645 41b09-41b0f call 43136 638->645 639->638 646 417cf-417d8 640->646 647 417da 640->647 652 41a9f-41aa8 RemoveDirectoryW 641->652 648 4180e-41822 GetTempPathW 642->648 649 41849-41865 call 447cb 642->649 643->638 645->644 646->647 654 417e1-417e7 647->654 655 417dc 647->655 648->649 656 41824-4182a GetLastError 648->656 649->638 668 4186b-41887 FindFirstFileW 649->668 652->632 659 41aaa-41ab0 GetLastError 652->659 654->643 655->654 661 41837 656->661 662 4182c-41835 656->662 664 41ab2-41ab5 659->664 665 41abb-41ac1 659->665 666 4183e-41844 661->666 667 41839 661->667 662->661 664->665 669 41ac3-41ac7 665->669 670 41ada-41adc 665->670 666->643 667->666 672 418ae-418b8 668->672 673 41889-4188f GetLastError 668->673 671 41ade-41ae4 669->671 674 41ac9-41ad6 MoveFileExW 669->674 670->632 670->671 675 41a19-41a23 call 413b3 671->675 676 418df-41900 call 447cb 672->676 677 418ba-418c3 672->677 678 41891-4189a 673->678 679 4189c 673->679 674->671 680 41ad8 674->680 675->632 676->632 694 41906-41910 676->694 684 419dc-419ec FindNextFileW 677->684 685 418c9-418d0 677->685 678->679 681 418a3-418a4 679->681 682 4189e 679->682 680->670 681->672 682->681 690 41a6c-41a71 GetLastError 684->690 691 419ee-419f4 684->691 685->676 688 418d2-418d9 685->688 688->676 688->684 692 41a77-41a7d GetLastError 690->692 693 41a73-41a75 690->693 691->672 695 41a7f-41a88 692->695 696 41a8a 692->696 693->652 697 41912-41914 694->697 698 4193f-41946 694->698 695->696 701 41a91-41a97 696->701 702 41a8c 696->702 697->698 703 41916-41926 call 44574 697->703 699 419d6 698->699 700 4194c-4194e 698->700 699->684 704 41950-41963 SetFileAttributesW 700->704 705 41969-41977 DeleteFileW 700->705 701->675 702->701 703->632 714 4192c-41935 call 41700 703->714 704->705 707 419f9-419ff GetLastError 704->707 705->699 708 41979-4197d 705->708 710 41a01-41a0a 707->710 711 41a0c 707->711 712 41983-419a0 GetTempFileNameW 708->712 713 41a4a-41a50 GetLastError 708->713 710->711 716 41a13-41a14 711->716 717 41a0e 711->717 718 419a6-419c3 MoveFileExW 712->718 719 41a28-41a2e GetLastError 712->719 720 41a52-41a5b 713->720 721 41a5d 713->721 722 4193a 714->722 716->675 717->716 725 419c5-419cc 718->725 726 419ce 718->726 723 41a30-41a39 719->723 724 41a3b 719->724 720->721 727 41a64-41a6a 721->727 728 41a5f 721->728 722->699 723->724 729 41a42-41a48 724->729 730 41a3d 724->730 731 419d4 MoveFileExW 725->731 726->731 727->675 728->727 729->675 730->729 731->699
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 0004175F
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041772
                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,00000001,00000000,?), ref: 000417BD
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000417C7
                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,00000001,00000000,?), ref: 0004181A
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041824
                                            • FindFirstFileW.KERNELBASE(?,?,?,*.*,?,?,?,?,00000001,00000000,?), ref: 00041878
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041889
                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00000001,00000000,?), ref: 0004195B
                                            • DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,00000001,00000000,?), ref: 0004196F
                                            • GetTempFileNameW.KERNEL32(?,DEL,00000000,?,?,?,?,00000001,00000000,?), ref: 00041998
                                            • MoveFileExW.KERNEL32(?,?,00000001,?,?,?,00000001,00000000,?), ref: 000419BB
                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 000419D4
                                            • FindNextFileW.KERNELBASE(000000FF,?,?,?,?,?,?,?,00000001,00000000,?), ref: 000419E4
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 000419F9
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041A28
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041A4A
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041A6C
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041A77
                                            • RemoveDirectoryW.KERNELBASE(?,?,?,?,00000001,00000000,?), ref: 00041AA0
                                            • GetLastError.KERNEL32(?,?,?,00000001,00000000,?), ref: 00041AAA
                                            • MoveFileExW.KERNEL32(?,00000000,00000004,?,?,?,00000001,00000000,?), ref: 00041ACE
                                            • FindClose.KERNEL32(000000FF,?,?,?,00000001,00000000,?), ref: 00041AFA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLast$AttributesFindMove$Temp$CloseDeleteDirectoryFirstNameNextPathRemove
                                            • String ID: *.*$DEL$c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp
                                            • API String ID: 1544372074-374933037
                                            • Opcode ID: b0d61cea17b8b020bdb448ab9a104a84cc929c7dbd0e671d5d85e7a17dff09ff
                                            • Instruction ID: 60dbdf903ed3718d9d63963eed33db699105e58de085e8c353b3dae81d71e1d8
                                            • Opcode Fuzzy Hash: b0d61cea17b8b020bdb448ab9a104a84cc929c7dbd0e671d5d85e7a17dff09ff
                                            • Instruction Fuzzy Hash: B4A11DF3D4223967EB7056658C08BEA76A96F40760F0542B1ED44BB181D7358DD0CBD9
                                            Function 000410E1 Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 79fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00044E3A: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,0004114E,?,00000000), ref: 00044E5B
                                            • CreateFileW.KERNELBASE(?,80000000,00000005,00000000,00000003,00000080,00000000,?,00000000), ref: 00041167
                                              • Part of subcall function 000414FE: HeapSetInformation.KERNEL32(00000000,00000001,00000000,00000000,?,?,?,?,?,0004118B,cabinet.dll,00000009,?,?,00000000), ref: 0004150F
                                              • Part of subcall function 000414FE: GetModuleHandleW.KERNEL32(kernel32,?,?,?,?,?,0004118B,cabinet.dll,00000009,?,?,00000000), ref: 0004151A
                                              • Part of subcall function 000414FE: GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 00041528
                                              • Part of subcall function 000414FE: GetLastError.KERNEL32(?,?,?,?,?,0004118B,cabinet.dll,00000009,?,?,00000000), ref: 00041543
                                              • Part of subcall function 000414FE: GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 0004154B
                                              • Part of subcall function 000414FE: GetLastError.KERNEL32(?,?,?,?,?,0004118B,cabinet.dll,00000009,?,?,00000000), ref: 00041560
                                            • CloseHandle.KERNELBASE(?,?,?,?,0008E4D0,?,cabinet.dll,00000009,?,?,00000000), ref: 000411AA
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AddressErrorFileHandleLastModuleProc$CloseCreateHeapInformationName
                                            • String ID: cabinet.dll$clbcatq.dll$comres.dll$crypt32.dll$feclient.dll$msasn1.dll$msi.dll$version.dll$wininet.dll
                                            • API String ID: 3687706282-3151496603
                                            • Opcode ID: 5ab599418d217b5f5bbd0ef812a2c72efa66f449bfe2637a4c9f0e16238971de
                                            • Instruction ID: 761bd8f3133e8126ac41e22e0b5f531949c47f70280bd721af76fb7ad9928fbc
                                            • Opcode Fuzzy Hash: 5ab599418d217b5f5bbd0ef812a2c72efa66f449bfe2637a4c9f0e16238971de
                                            • Instruction Fuzzy Hash: A721A1B1E00258ABEB10AFA4CC45BDEBBB8FF09324F504538F911B7291D77499448BB8
                                            Function 0005BD11 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 104fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00059EF0: GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 00059F4F
                                              • Part of subcall function 00059EF0: GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00059F75
                                              • Part of subcall function 00059EF0: GetLastError.KERNEL32 ref: 00059F7F
                                            • ConvertStringSecurityDescriptorToSecurityDescriptorW.ADVAPI32(D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY),00000001,?,00000000), ref: 0005BD60
                                            • GetLastError.KERNEL32(?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 0005BD69
                                            • LocalFree.KERNEL32(?), ref: 0005BE0C
                                              • Part of subcall function 000450E9: GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                              • Part of subcall function 000450E9: RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                              • Part of subcall function 00041B27: CreateDirectoryW.KERNELBASE(00000000,00047083,00000000,00000000,?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041B35
                                              • Part of subcall function 00041B27: GetLastError.KERNEL32(?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041B43
                                            • DecryptFileW.ADVAPI32(00000000,00000000), ref: 0005BDD0
                                            Strings
                                            • D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY), xrefs: 0005BD5B
                                            • Failed to copy working folder., xrefs: 0005BDED
                                            • Failed to create the security descriptor for the working folder., xrefs: 0005BD97
                                            • Failed create working folder., xrefs: 0005BDC5
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 0005BD8D
                                            • Failed to calculate working folder to ensure it exists., xrefs: 0005BD3D
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$DescriptorDirectoryHeapProcessSecurity$AllocateConvertCreateCurrentDecryptFileFreeLocalStringWindows
                                            • String ID: D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)$Failed create working folder.$Failed to calculate working folder to ensure it exists.$Failed to copy working folder.$Failed to create the security descriptor for the working folder.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                            • API String ID: 1593575373-1634687223
                                            • Opcode ID: dea96e2299167aacbea8c00f765ffb810a0b319bd767ea54922b0e003a50f343
                                            • Instruction ID: 38418ca88ddb53c9d0bec684aa94b4b1b28d2218767c6276e6905b25e50883fa
                                            • Opcode Fuzzy Hash: dea96e2299167aacbea8c00f765ffb810a0b319bd767ea54922b0e003a50f343
                                            • Instruction Fuzzy Hash: 5D31A672900629BBDF216F94DC869DFBAB4EF00752F10416AFD017A151EB719E44DB90
                                            Function 00043B2C Relevance: 3.0, APIs: 2, Instructions: 43fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00043B67
                                            • FindClose.KERNEL32(00000000,?,00000000), ref: 00043B73
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Find$CloseFileFirst
                                            • String ID:
                                            • API String ID: 2295610775-0
                                            • Opcode ID: 332695b6c869db5a8596d15ee5a8c0ca341b4cdd4037f1fb4dcd83d488749440
                                            • Instruction ID: 4eda940f2d387b37a36cc2f87a03dcf7125c5ec55e2e3655db37318fab9c0527
                                            • Opcode Fuzzy Hash: 332695b6c869db5a8596d15ee5a8c0ca341b4cdd4037f1fb4dcd83d488749440
                                            • Instruction Fuzzy Hash: AE01A971A00508ABEF10EFA5DC89E9BB7ECEFC5325F004165E518D3281D7389E4D8BA4
                                            Function 000516B9 Relevance: 114.2, APIs: 3, Strings: 62, Instructions: 445COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 516b9-516ea call 87ffe 3 516ec 0->3 4 516ee-516f0 0->4 3->4 5 51704-5171d call 87952 4->5 6 516f2-516ff call 853e7 4->6 12 5171f-51724 5->12 13 51729-5173e call 87952 5->13 11 51bec-51bf1 6->11 14 51bf3-51bf5 11->14 15 51bf9-51bfe 11->15 16 51be3-51bea call 853e7 12->16 22 51740-51745 13->22 23 5174a-51757 call 50733 13->23 14->15 19 51c06-51c0b 15->19 20 51c00-51c02 15->20 28 51beb 16->28 25 51c13-51c17 19->25 26 51c0d-51c0f 19->26 20->19 22->16 33 51763-51778 call 87952 23->33 34 51759-5175e 23->34 29 51c21-51c26 25->29 30 51c19-51c1c call 43136 25->30 26->25 28->11 30->29 37 51784-51796 call 4436c 33->37 38 5177a-5177f 33->38 34->16 41 517a5-517ba call 87952 37->41 42 51798-517a0 37->42 38->16 47 517c6-517db call 87952 41->47 48 517bc-517c1 41->48 43 51a6f-51a78 call 853e7 42->43 43->28 52 517e7-517f9 call 87b5e 47->52 53 517dd-517e2 47->53 48->16 56 51805-5181b call 87ffe 52->56 57 517fb-51800 52->57 53->16 60 51821-51823 56->60 61 51aca-51ae4 call 509ad 56->61 57->16 62 51825-5182a 60->62 63 5182f-51844 call 87b5e 60->63 68 51ae6-51aeb 61->68 69 51af0-51b08 call 87ffe 61->69 62->16 70 51846-5184b 63->70 71 51850-51865 call 87952 63->71 68->16 76 51bd2-51bd3 call 50ddd 69->76 77 51b0e-51b10 69->77 70->16 78 51875-5188a call 87952 71->78 79 51867-51869 71->79 86 51bd8-51bdc 76->86 80 51b12-51b17 77->80 81 51b1c-51b3a call 87952 77->81 90 5188c-5188e 78->90 91 5189a-518af call 87952 78->91 79->78 83 5186b-51870 79->83 80->16 92 51b46-51b5e call 87952 81->92 93 51b3c-51b41 81->93 83->16 86->28 87 51bde 86->87 87->16 90->91 94 51890-51895 90->94 101 518b1-518b3 91->101 102 518bf-518d4 call 87952 91->102 99 51b60-51b62 92->99 100 51b6b-51b83 call 87952 92->100 93->16 94->16 99->100 106 51b64-51b69 99->106 109 51b85-51b87 100->109 110 51b90-51ba8 call 87952 100->110 101->102 103 518b5-518ba 101->103 111 518e4-518f9 call 87952 102->111 112 518d6-518d8 102->112 103->16 106->16 109->110 113 51b89-51b8e 109->113 119 51bb1-51bc9 call 87952 110->119 120 51baa-51baf 110->120 121 51909-5191e call 87952 111->121 122 518fb-518fd 111->122 112->111 114 518da-518df 112->114 113->16 114->16 119->76 128 51bcb-51bd0 119->128 120->16 129 51920-51922 121->129 130 5192e-51943 call 87952 121->130 122->121 124 518ff-51904 122->124 124->16 128->16 129->130 132 51924-51929 129->132 134 51945-51947 130->134 135 51953-51968 call 87952 130->135 132->16 134->135 136 51949-5194e 134->136 139 51978-51990 call 87952 135->139 140 5196a-5196c 135->140 136->16 144 519a0-519b8 call 87952 139->144 145 51992-51994 139->145 140->139 141 5196e-51973 140->141 141->16 149 519c8-519dd call 87952 144->149 150 519ba-519bc 144->150 145->144 147 51996-5199b 145->147 147->16 154 519e3-51a00 CompareStringW 149->154 155 51a7d-51a7f 149->155 150->149 151 519be-519c3 150->151 151->16 158 51a02-51a08 154->158 159 51a0a-51a1f CompareStringW 154->159 156 51a81-51a88 155->156 157 51a8a-51a8c 155->157 156->157 160 51a8e-51a93 157->160 161 51a98-51ab0 call 87b5e 157->161 162 51a4b-51a50 158->162 163 51a21-51a2b 159->163 164 51a2d-51a42 CompareStringW 159->164 160->16 161->61 171 51ab2-51ab4 161->171 162->157 163->162 166 51a44 164->166 167 51a52-51a6a call 413b3 164->167 166->162 167->43 172 51ab6-51abb 171->172 173 51ac0 171->173 172->16 173->61
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: StringVariant$AllocClearFreeInit
                                            • String ID: AboutUrl$Arp$Classification$Comments$Contact$Department$DisableModify$DisableRemove$DisplayName$DisplayVersion$ExecutableName$Failed to get @AboutUrl.$Failed to get @Classification.$Failed to get @Comments.$Failed to get @Contact.$Failed to get @Department.$Failed to get @DisableModify.$Failed to get @DisableRemove.$Failed to get @DisplayName.$Failed to get @DisplayVersion.$Failed to get @ExecutableName.$Failed to get @HelpLink.$Failed to get @HelpTelephone.$Failed to get @Id.$Failed to get @Manufacturer.$Failed to get @Name.$Failed to get @ParentDisplayName.$Failed to get @PerMachine.$Failed to get @ProductFamily.$Failed to get @ProviderKey.$Failed to get @Publisher.$Failed to get @Register.$Failed to get @Tag.$Failed to get @UpdateUrl.$Failed to get @Version.$Failed to parse @Version: %ls$Failed to parse related bundles$Failed to parse software tag.$Failed to select ARP node.$Failed to select Update node.$Failed to select registration node.$Failed to set registration paths.$HelpLink$HelpTelephone$Invalid modify disabled type: %ls$Manufacturer$Name$ParentDisplayName$PerMachine$ProductFamily$ProviderKey$Publisher$Register$Registration$Tag$Update$UpdateUrl$Version$button$c:\agent\_work\36\s\wix\src\burn\engine\registration.cpp$yes$
                                            • API String ID: 760788290-4060943106
                                            • Opcode ID: e0a0b9c5fa701c5d437bd990cb8af3d333b7ac7cdf7f293dfddf5dce5b9ee2f9
                                            • Instruction ID: 996824a11aab1c3d05571d0a665faf5fae9494c7be36fc0f892e698981ccb5d5
                                            • Opcode Fuzzy Hash: e0a0b9c5fa701c5d437bd990cb8af3d333b7ac7cdf7f293dfddf5dce5b9ee2f9
                                            • Instruction Fuzzy Hash: 85E1A572E48636BBDF2266A0CC41FFF76A8BB04712F110361FE64BA191E7619D496780
                                            Function 0004D197 Relevance: 93.3, APIs: 24, Strings: 29, Instructions: 577fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 174 4d197-4d20c call 70ec0 * 2 179 4d244-4d24a 174->179 180 4d20e-4d218 GetLastError 174->180 183 4d24c 179->183 184 4d24e-4d260 SetFilePointerEx 179->184 181 4d225 180->181 182 4d21a-4d223 180->182 185 4d227 181->185 186 4d22c-4d239 call 413b3 181->186 182->181 183->184 187 4d294-4d2ae ReadFile 184->187 188 4d262-4d26c GetLastError 184->188 185->186 205 4d23e-4d23f 186->205 191 4d2e5-4d2ec 187->191 192 4d2b0-4d2ba GetLastError 187->192 189 4d26e-4d277 188->189 190 4d279 188->190 189->190 194 4d280-4d292 call 413b3 190->194 195 4d27b 190->195 199 4d2f2-4d2fb 191->199 200 4d8e3-4d8f7 call 413b3 191->200 196 4d2c7 192->196 197 4d2bc-4d2c5 192->197 194->205 195->194 203 4d2ce-4d2e0 call 413b3 196->203 204 4d2c9 196->204 197->196 199->200 201 4d301-4d311 SetFilePointerEx 199->201 219 4d8fc 200->219 207 4d313-4d31d GetLastError 201->207 208 4d348-4d360 ReadFile 201->208 203->205 204->203 211 4d8fd-4d903 call 853e7 205->211 214 4d31f-4d328 207->214 215 4d32a 207->215 216 4d397-4d39e 208->216 217 4d362-4d36c GetLastError 208->217 227 4d904-4d914 call 70093 211->227 214->215 223 4d331-4d33e call 413b3 215->223 224 4d32c 215->224 221 4d3a4-4d3ae 216->221 222 4d8c8-4d8e1 call 413b3 216->222 225 4d36e-4d377 217->225 226 4d379 217->226 219->211 221->222 228 4d3b4-4d3d7 SetFilePointerEx 221->228 222->219 223->208 224->223 225->226 231 4d380-4d38d call 413b3 226->231 232 4d37b 226->232 234 4d40e-4d426 ReadFile 228->234 235 4d3d9-4d3e3 GetLastError 228->235 231->216 232->231 243 4d45d-4d475 ReadFile 234->243 244 4d428-4d432 GetLastError 234->244 241 4d3e5-4d3ee 235->241 242 4d3f0 235->242 241->242 247 4d3f7-4d404 call 413b3 242->247 248 4d3f2 242->248 245 4d477-4d481 GetLastError 243->245 246 4d4ac-4d4c7 SetFilePointerEx 243->246 249 4d434-4d43d 244->249 250 4d43f 244->250 255 4d483-4d48c 245->255 256 4d48e 245->256 251 4d501-4d520 ReadFile 246->251 252 4d4c9-4d4d3 GetLastError 246->252 247->234 248->247 249->250 253 4d446-4d453 call 413b3 250->253 254 4d441 250->254 261 4d526-4d528 251->261 262 4d889-4d893 GetLastError 251->262 258 4d4d5-4d4de 252->258 259 4d4e0 252->259 253->243 254->253 255->256 263 4d495-4d4a2 call 413b3 256->263 264 4d490 256->264 258->259 268 4d4e7-4d4f7 call 413b3 259->268 269 4d4e2 259->269 271 4d529-4d530 261->271 266 4d895-4d89e 262->266 267 4d8a0 262->267 263->246 264->263 266->267 273 4d8a7-4d8bd call 413b3 267->273 274 4d8a2 267->274 268->251 269->268 276 4d864-4d881 call 413b3 271->276 277 4d536-4d542 271->277 292 4d8be-4d8c6 call 853e7 273->292 274->273 293 4d886-4d887 276->293 282 4d544-4d54b 277->282 283 4d54d-4d556 277->283 282->283 286 4d590-4d597 282->286 287 4d827-4d83e call 413b3 283->287 288 4d55c-4d582 ReadFile 283->288 289 4d5c0-4d5d7 call 450e9 286->289 290 4d599-4d5bb call 413b3 286->290 300 4d843-4d849 call 853e7 287->300 288->262 294 4d588-4d58e 288->294 304 4d5d9-4d5f6 call 413b3 289->304 305 4d5fb-4d610 SetFilePointerEx 289->305 290->293 292->227 293->292 294->271 310 4d84f-4d850 300->310 304->211 308 4d650-4d675 ReadFile 305->308 309 4d612-4d61c GetLastError 305->309 311 4d677-4d681 GetLastError 308->311 312 4d6ac-4d6b8 308->312 314 4d61e-4d627 309->314 315 4d629 309->315 316 4d851-4d853 310->316 317 4d683-4d68c 311->317 318 4d68e 311->318 319 4d6ba-4d6d6 call 413b3 312->319 320 4d6db-4d6df 312->320 314->315 321 4d630-4d640 call 413b3 315->321 322 4d62b 315->322 316->227 326 4d859-4d85f call 451ae 316->326 317->318 327 4d695-4d6aa call 413b3 318->327 328 4d690 318->328 319->300 324 4d6e1-4d715 call 413b3 call 853e7 320->324 325 4d71a-4d72d call 440de 320->325 336 4d645-4d64b call 853e7 321->336 322->321 324->316 343 4d72f-4d734 325->343 344 4d739-4d743 325->344 326->227 327->336 328->327 336->310 343->336 347 4d745-4d74b 344->347 348 4d74d-4d755 344->348 349 4d766-4d7c6 call 450e9 347->349 350 4d757-4d75f 348->350 351 4d761-4d764 348->351 354 4d7c8-4d7e4 call 413b3 349->354 355 4d7ea-4d80b call 71020 call 4cf14 349->355 350->349 351->349 354->355 355->316 362 4d80d-4d81d call 413b3 355->362 362->287
                                            APIs
                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0004D20E
                                            • SetFilePointerEx.KERNELBASE(000000FF,00000000,00000000,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D25C
                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0004D262
                                            • ReadFile.KERNELBASE(00000000,00046139,00000040,?,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D2AA
                                            • GetLastError.KERNEL32(?,?,?,00000000,76EEC3F0,00000000), ref: 0004D2B0
                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D30D
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D313
                                            • ReadFile.KERNELBASE(00000000,?,00000018,00000040,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D35C
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D362
                                            • SetFilePointerEx.KERNELBASE(00000000,-00000098,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D3D3
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D3D9
                                            • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D422
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D428
                                            • ReadFile.KERNEL32(00000000,?,00000004,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D471
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D477
                                            • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D4C3
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D4C9
                                              • Part of subcall function 000450E9: GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                              • Part of subcall function 000450E9: RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                            • ReadFile.KERNEL32(00000000,?,00000028,00000018,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D51C
                                            • ReadFile.KERNEL32(00000000,?,00000028,00000028,00000000,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D57E
                                            • SetFilePointerEx.KERNELBASE(00000000,?,00000000,00000000,00000000,00000034,00000001,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D608
                                            • GetLastError.KERNEL32(?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 0004D612
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: File$ErrorLast$Read$Pointer$Heap$AllocateProcess
                                            • String ID: ($.wix$4$Failed to allocate buffer for section info.$Failed to allocate memory for container sizes.$Failed to find Burn section.$Failed to find valid DOS image header in buffer.$Failed to find valid NT image header in buffer.$Failed to get total size of bundle.$Failed to open handle to engine process path.$Failed to read DOS header.$Failed to read NT header.$Failed to read complete image section header, index: %u$Failed to read complete section info.$Failed to read image section header, index: %u$Failed to read section info, data to short: %u$Failed to read section info, unsupported version: %08x$Failed to read section info.$Failed to read signature offset.$Failed to read signature size.$Failed to seek past optional headers.$Failed to seek to NT header.$Failed to seek to section info.$Failed to seek to start of file.$PE$PE Header from file didn't match PE Header in memory.$burn$c:\agent\_work\36\s\wix\src\burn\engine\section.cpp$h\!
                                            • API String ID: 3411815225-2683162580
                                            • Opcode ID: 0fe1817a262ca94933c1161edfd54ef10287f86bed321684a374cddb42b25c70
                                            • Instruction ID: 6d79a5009964d6512c2c8f55daca04c8d013539f0434671e2709c8d94039c980
                                            • Opcode Fuzzy Hash: 0fe1817a262ca94933c1161edfd54ef10287f86bed321684a374cddb42b25c70
                                            • Instruction Fuzzy Hash: F812C6B2940635BBDB309F54CD45FEA76A4AF41710F0142B6FE08AB281E674DE40DBE9
                                            Function 0004EAB3 Relevance: 73.9, APIs: 3, Strings: 39, Instructions: 365COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 365 4eab3-4eadf call 87f78 368 4eae1 365->368 369 4eaf3-4eb04 365->369 370 4eae6-4eaee call 853e7 368->370 374 4eb06-4eb0b 369->374 375 4eb0d-4eb12 369->375 376 4ee48-4ee4d 370->376 374->370 375->376 377 4eb18-4eb2b call 450e9 375->377 378 4ee55-4ee5a 376->378 379 4ee4f-4ee51 376->379 384 4eb51-4eb5e 377->384 385 4eb2d-4eb4c call 413b3 call 853e7 377->385 381 4ee62-4ee66 378->381 382 4ee5c-4ee5e 378->382 379->378 386 4ee70-4ee74 381->386 387 4ee68-4ee6b call 43136 381->387 382->381 388 4ee44 384->388 389 4eb64-4eb66 384->389 396 4ee47 385->396 387->386 393 4ee46 388->393 392 4eb69-4eb7f call 87ed7 389->392 400 4eb85-4eb8e call 87952 392->400 401 4ef1c 392->401 393->396 396->376 404 4eb93-4eb97 400->404 403 4ef21-4ef29 call 853e7 401->403 403->393 406 4ef15-4ef1a 404->406 407 4eb9d-4ebb2 call 87952 404->407 406->403 411 4ef0e-4ef13 407->411 412 4ebb8-4ebcd call 87952 407->412 411->403 415 4ef07-4ef0c 412->415 416 4ebd3-4ebee CompareStringW 412->416 415->403 417 4ebf0-4ebf7 416->417 418 4ebf9-4ec0e CompareStringW 416->418 421 4ec37-4ec3b 417->421 419 4ec15-4ec2a CompareStringW 418->419 420 4ec10-4ec13 418->420 422 4ec30 419->422 423 4eeec-4eef4 419->423 420->421 424 4ec3d-4ec56 call 87952 421->424 425 4ec7f-4ec98 call 87b5e 421->425 422->421 428 4eef9-4ef02 call 853e7 423->428 433 4ec5e-4ec60 424->433 434 4ec58-4ec5c 424->434 435 4eca2-4ecbb call 87952 425->435 436 4ec9a-4ec9c 425->436 428->393 439 4ec66-4ec79 call 4df11 433->439 440 4ee81-4ee86 433->440 434->425 434->433 443 4ecc3-4ecc5 435->443 444 4ecbd-4ecc1 435->444 436->435 437 4ee8b-4ee90 436->437 437->403 439->425 448 4ee77-4ee7f 439->448 440->403 446 4eccb-4ece4 call 87952 443->446 447 4eee5-4eeea 443->447 444->443 444->446 451 4ece6-4ecea 446->451 452 4ecec-4ecee 446->452 447->403 448->428 451->452 453 4ecf4-4ed0d call 87952 451->453 452->453 454 4eede-4eee3 452->454 457 4ed2f-4ed48 call 87952 453->457 458 4ed0f-4ed11 453->458 454->403 465 4ed6c-4ed85 call 87952 457->465 466 4ed4a-4ed4c 457->466 460 4ed17-4ed29 call 434d7 458->460 461 4ee9f-4eea4 458->461 460->457 467 4ee95-4ee9a 460->467 461->403 474 4ed87-4ed89 465->474 475 4eda9-4edbe call 87952 465->475 468 4ed52-4ed66 call 42adc 466->468 469 4eead-4eeb2 466->469 467->403 468->465 477 4eea6-4eeab 468->477 469->403 478 4ed8f-4eda3 call 42adc 474->478 479 4eebb-4eec0 474->479 482 4edc4-4edd8 call 42adc 475->482 483 4eed7-4eedc 475->483 477->403 478->475 486 4eeb4-4eeb9 478->486 479->403 488 4eed0-4eed5 482->488 489 4edde-4edf7 call 87952 482->489 483->403 486->403 488->403 492 4edf9-4edfb 489->492 493 4ee1a-4ee1f 489->493 494 4ee01-4ee14 call 4d93e 492->494 495 4eec9-4eece 492->495 496 4ee21-4ee27 493->496 497 4ee2b-4ee3e 493->497 494->493 501 4eec2-4eec7 494->501 495->403 496->497 497->388 497->392 501->403
                                            APIs
                                              • Part of subcall function 000450E9: GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                              • Part of subcall function 000450E9: RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,download,000000FF,00000000,Packaging,00000000,00000000,FilePath,00047123,00000000,0008FD50,0004710B,00000000), ref: 0004EBE9
                                            Strings
                                            • Hash, xrefs: 0004EDAD
                                            • FileSize, xrefs: 0004ECF8
                                            • c:\agent\_work\36\s\wix\src\burn\engine\payload.cpp, xrefs: 0004EB35
                                            • CertificateRootThumbprint, xrefs: 0004ED70
                                            • download, xrefs: 0004EBDB
                                            • external, xrefs: 0004EC17
                                            • Failed to get @SourcePath., xrefs: 0004EEE5
                                            • Invalid value for @Packaging: %ls, xrefs: 0004EEF4
                                            • Container, xrefs: 0004EC41
                                            • DownloadUrl, xrefs: 0004ECCF
                                            • Failed to get @Catalog., xrefs: 0004EEC9
                                            • Failed to select payload nodes., xrefs: 0004EAE1
                                            • CertificateRootPublicKeyIdentifier, xrefs: 0004ED33
                                            • Catalog, xrefs: 0004EDE2
                                            • Failed to hex decode @CertificateRootPublicKeyIdentifier., xrefs: 0004EEA6
                                            • Failed to parse @FileSize., xrefs: 0004EE95
                                            • Failed to to find container: %ls, xrefs: 0004EE7A
                                            • Failed to get @FilePath., xrefs: 0004EF0E
                                            • FilePath, xrefs: 0004EBA1
                                            • Failed to get payload node count., xrefs: 0004EB06
                                            • Failed to allocate memory for payload structs., xrefs: 0004EB3F
                                            • Payload, xrefs: 0004EACE
                                            • Failed to get @Packaging., xrefs: 0004EF07
                                            • Failed to get next node., xrefs: 0004EF1C
                                            • embedded, xrefs: 0004EBFB
                                            • Failed to get @LayoutOnly., xrefs: 0004EE8B
                                            • Failed to get @Container., xrefs: 0004EE81
                                            • Failed to hex decode @CertificateRootThumbprint., xrefs: 0004EEB4
                                            • Failed to get @CertificateRootPublicKeyIdentifier., xrefs: 0004EEAD
                                            • SourcePath, xrefs: 0004ECA6
                                            • LayoutOnly, xrefs: 0004EC83
                                            • Failed to hex decode the Payload/@Hash., xrefs: 0004EED0
                                            • Failed to find catalog., xrefs: 0004EEC2
                                            • Packaging, xrefs: 0004EBBC
                                            • Failed to get @Id., xrefs: 0004EF15
                                            • Failed to get @FileSize., xrefs: 0004EE9F
                                            • Failed to get @CertificateRootThumbprint., xrefs: 0004EEBB
                                            • Failed to get @Hash., xrefs: 0004EED7
                                            • Failed to get @DownloadUrl., xrefs: 0004EEDE
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateCompareProcessString
                                            • String ID: Catalog$CertificateRootPublicKeyIdentifier$CertificateRootThumbprint$Container$DownloadUrl$Failed to allocate memory for payload structs.$Failed to find catalog.$Failed to get @Catalog.$Failed to get @CertificateRootPublicKeyIdentifier.$Failed to get @CertificateRootThumbprint.$Failed to get @Container.$Failed to get @DownloadUrl.$Failed to get @FilePath.$Failed to get @FileSize.$Failed to get @Hash.$Failed to get @Id.$Failed to get @LayoutOnly.$Failed to get @Packaging.$Failed to get @SourcePath.$Failed to get next node.$Failed to get payload node count.$Failed to hex decode @CertificateRootPublicKeyIdentifier.$Failed to hex decode @CertificateRootThumbprint.$Failed to hex decode the Payload/@Hash.$Failed to parse @FileSize.$Failed to select payload nodes.$Failed to to find container: %ls$FilePath$FileSize$Hash$Invalid value for @Packaging: %ls$LayoutOnly$Packaging$Payload$SourcePath$c:\agent\_work\36\s\wix\src\burn\engine\payload.cpp$download$embedded$external
                                            • API String ID: 1171520630-2068965531
                                            • Opcode ID: 716bab3e7e4e2b6151cfdec1949876d8ee498a68a1d27ecb98c716444d8c59c7
                                            • Instruction ID: ff1f23954ec7306c677d61710bf994e0a98005747dd0027bcd75f49926f69bcf
                                            • Opcode Fuzzy Hash: 716bab3e7e4e2b6151cfdec1949876d8ee498a68a1d27ecb98c716444d8c59c7
                                            • Instruction Fuzzy Hash: ADC10AB1D4566AFBCF21DB90CC81EAEB6A4BF04710F200275FA50BB191C772EE549798
                                            Function 000628E5 Relevance: 54.6, APIs: 20, Strings: 11, Instructions: 306synchronizationCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 502 628e5-628fc SetEvent 503 6293e-6294c WaitForSingleObject 502->503 504 628fe-62908 GetLastError 502->504 505 62983-6298e ResetEvent 503->505 506 6294e-62958 GetLastError 503->506 507 62915 504->507 508 6290a-62913 504->508 511 62990-6299a GetLastError 505->511 512 629c8-629ce 505->512 509 62965 506->509 510 6295a-62963 506->510 513 62917 507->513 514 6291c-6292c call 413b3 507->514 508->507 517 62967 509->517 518 6296c-62981 call 413b3 509->518 510->509 519 629a7 511->519 520 6299c-629a5 511->520 515 629d0-629d3 512->515 516 62a01-62a1a call 42c89 512->516 513->514 534 62931-62939 call 853e7 514->534 522 629f7-629fc 515->522 523 629d5-629f2 call 413b3 515->523 538 62a32-62a3d SetEvent 516->538 539 62a1c-62a2d call 853e7 516->539 517->518 518->534 526 629ae-629c3 call 413b3 519->526 527 629a9 519->527 520->519 531 62cb7-62cbc 522->531 543 62cad-62cb3 call 853e7 523->543 526->534 527->526 540 62cc1-62cc7 531->540 541 62cbe 531->541 534->531 545 62a77-62a85 WaitForSingleObject 538->545 546 62a3f-62a49 GetLastError 538->546 558 62cb4-62cb6 539->558 541->540 543->558 549 62a87-62a91 GetLastError 545->549 550 62abf-62aca ResetEvent 545->550 547 62a56 546->547 548 62a4b-62a54 546->548 553 62a5d-62a72 call 413b3 547->553 554 62a58 547->554 548->547 555 62a93-62a9c 549->555 556 62a9e 549->556 559 62b04-62b0b 550->559 560 62acc-62ad6 GetLastError 550->560 577 62cac 553->577 554->553 555->556 566 62aa5-62aba call 413b3 556->566 567 62aa0 556->567 558->531 564 62b0d-62b10 559->564 565 62b7a-62b9d CreateFileW 559->565 561 62ae3 560->561 562 62ad8-62ae1 560->562 568 62ae5 561->568 569 62aea-62aff call 413b3 561->569 562->561 573 62b12-62b15 564->573 574 62b3d-62b41 call 450e9 564->574 571 62b9f-62ba9 GetLastError 565->571 572 62bda-62bee SetFilePointerEx 565->572 566->577 567->566 568->569 569->577 578 62bb6 571->578 579 62bab-62bb4 571->579 583 62bf0-62bfa GetLastError 572->583 584 62c28-62c33 SetEndOfFile 572->584 580 62b36-62b38 573->580 581 62b17-62b1a 573->581 588 62b46-62b4b 574->588 577->543 592 62bbd-62bd0 call 413b3 578->592 593 62bb8 578->593 579->578 580->531 594 62b2c-62b31 581->594 595 62b1c-62b22 581->595 586 62c07 583->586 587 62bfc-62c05 583->587 590 62c35-62c3f GetLastError 584->590 591 62c6a-62c77 SetFilePointerEx 584->591 598 62c0e-62c23 call 413b3 586->598 599 62c09 586->599 587->586 596 62b6c-62b75 588->596 597 62b4d-62b67 call 413b3 588->597 600 62c41-62c4a 590->600 601 62c4c 590->601 591->558 603 62c79-62c83 GetLastError 591->603 592->572 593->592 594->558 595->594 596->558 597->577 598->577 599->598 600->601 608 62c53-62c68 call 413b3 601->608 609 62c4e 601->609 604 62c85-62c8e 603->604 605 62c90 603->605 604->605 611 62c97-62ca7 call 413b3 605->611 612 62c92 605->612 608->577 609->608 611->577 612->611
                                            APIs
                                            • SetEvent.KERNEL32(?,?,?,?,?,00062495,?,?), ref: 000628F4
                                            • GetLastError.KERNEL32(?,?,?,?,00062495,?,?), ref: 000628FE
                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,00062495,?,?), ref: 00062943
                                            • GetLastError.KERNEL32(?,?,?,?,00062495,?,?), ref: 0006294E
                                            • ResetEvent.KERNEL32(?,?,?,?,?,00062495,?,?), ref: 00062986
                                            • GetLastError.KERNEL32(?,?,?,?,00062495,?,?), ref: 00062990
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Event$ObjectResetSingleWait
                                            • String ID: Failed to allocate buffer for stream.$Failed to copy stream name: %ls$Failed to create file: %ls$Failed to reset begin operation event.$Failed to set end of file.$Failed to set file pointer to beginning of file.$Failed to set file pointer to end of file.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 1865021742-3295966698
                                            • Opcode ID: e9421b7cf41167431c20d1cd5443d9bc5570c4783b1bb7ec4d7e6b61290cbe2d
                                            • Instruction ID: 79fd55ac7c61818e8169b27845d9c6d3063ee4aaad3d7641a854da78f9523583
                                            • Opcode Fuzzy Hash: e9421b7cf41167431c20d1cd5443d9bc5570c4783b1bb7ec4d7e6b61290cbe2d
                                            • Instruction Fuzzy Hash: 5D911873984E72B7E7315A64CE4EB6A2995BF40B31F010320BE80BF6D1D795DC4096E6
                                            Function 00046E5B Relevance: 40.6, APIs: 5, Strings: 18, Instructions: 314COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 732 46e5b-46f09 call 70ec0 * 2 GetModuleHandleW call 856a2 call 85856 call 41591 743 46f1f-46f30 call 45faf 732->743 744 46f0b 732->744 750 46f32-46f37 743->750 751 46f39-46f55 call 472dc CoInitializeEx 743->751 745 46f10-46f1a call 853e7 744->745 752 4719a-471a1 745->752 750->745 760 46f57-46f5c 751->760 761 46f5e-46f6a call 84e59 751->761 754 471a3-471a9 call 43136 752->754 755 471ae-471b0 752->755 754->755 758 471c0-471de call 4f514 call 5c5d1 call 5c81c 755->758 759 471b2-471b9 755->759 781 471e0-471e8 758->781 782 4720c-4721f call 46c6a 758->782 759->758 762 471bb call 55eaf 759->762 760->745 769 46f6c 761->769 770 46f7e-46f8d call 456c9 761->770 762->758 772 46f71-46f79 call 853e7 769->772 779 46f96-46fa5 call 8715d 770->779 780 46f8f-46f94 770->780 772->752 788 46fa7-46fac 779->788 789 46fae-46fbd call 87bbc 779->789 780->772 781->782 784 471ea-471ed 781->784 793 47226-4722d 782->793 794 47221 call 88084 782->794 784->782 787 471ef-4720a call 5600f call 472c6 784->787 787->782 788->772 800 46fc6-46fe5 GetVersionExW 789->800 801 46fbf-46fc4 789->801 796 47234-4723b 793->796 797 4722f call 87563 793->797 794->793 803 47242-47249 796->803 804 4723d call 45d15 796->804 797->796 806 46fe7-46ff1 GetLastError 800->806 807 4701f-47064 call 44e3a call 472c6 800->807 801->772 809 47250-47252 803->809 810 4724b call 84f68 803->810 804->803 812 46ff3-46ffc 806->812 813 46ffe 806->813 835 47066-47071 call 43136 807->835 836 47077-47087 call 5916b 807->836 816 47254 CoUninitialize 809->816 817 4725a-47261 809->817 810->809 812->813 818 47005-4701a call 413b3 813->818 819 47000 813->819 816->817 821 47263-47265 817->821 822 4729c-472a5 call 852c5 817->822 818->772 819->818 826 47267-47269 821->826 827 4726b-47271 821->827 833 472a7 call 462c2 822->833 834 472ac-472c3 call 859a8 call 70093 822->834 828 47273-4728c call 55a44 call 472c6 826->828 827->828 828->822 851 4728e-4729b call 472c6 828->851 833->834 835->836 848 47093-4709c 836->848 849 47089 836->849 852 47164-47171 call 46a03 848->852 853 470a2-470a5 848->853 849->848 851->822 858 47176-4717a 852->858 856 4713c-47158 call 467b3 853->856 857 470ab-470ae 853->857 863 47186-47198 856->863 873 4715a 856->873 860 47114-47130 call 465bf 857->860 861 470b0-470b3 857->861 858->863 864 4717c 858->864 860->863 875 47132 860->875 866 470b5-470b8 861->866 867 470ec-47108 call 46756 861->867 863->752 864->863 871 470c9-470dc call 46952 866->871 872 470ba-470bf 866->872 867->863 877 4710a 867->877 871->863 879 470e2 871->879 872->871 873->852 875->856 877->860 879->867
                                            APIs
                                            • GetModuleHandleW.KERNEL32(00000000,?,?,?,?,?,?), ref: 00046EDD
                                              • Part of subcall function 000856A2: InitializeCriticalSection.KERNEL32(000AF764,?,00046EE9,00000000,?,?,?,?,?,?), ref: 000856B9
                                              • Part of subcall function 00041591: CommandLineToArgvW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,ignored ,00000000,?,00000000,?,?,?,00046F05,00000000,?), ref: 000415CF
                                              • Part of subcall function 00041591: GetLastError.KERNEL32(?,?,?,00046F05,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 000415D9
                                            • CoInitializeEx.COMBASE(00000000,00000000,?,?,00000000,?,?,00000003,00000000,00000000,?,?,?,?,?,?), ref: 00046F4B
                                              • Part of subcall function 000456C9: GetProcAddress.KERNEL32(RegDeleteKeyExW,AdvApi32.dll), ref: 000456EA
                                            • GetVersionExW.KERNEL32(?,?,?,?,?,?,?), ref: 00046FDD
                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00046FE7
                                            • CoUninitialize.COMBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00047254
                                            Strings
                                            • Failed to run per-machine mode., xrefs: 00047132
                                            • Failed to initialize Cryputil., xrefs: 00046F6C
                                            • 3.14.1.8722, xrefs: 0004704A
                                            • Failed to parse command line., xrefs: 00046F0B
                                            • Failed to initialize Wiutil., xrefs: 00046FA7
                                            • Failed to initialize XML util., xrefs: 00046FBF
                                            • , xrefs: 000471BB
                                            • Failed to run per-user mode., xrefs: 0004715A
                                            • Failed to run embedded mode., xrefs: 0004710A
                                            • Invalid run mode., xrefs: 000470BF
                                            • c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp, xrefs: 0004700B
                                            • Failed to initialize core., xrefs: 00047089
                                            • Failed to initialize engine state., xrefs: 00046F32
                                            • Failed to run RunOnce mode., xrefs: 000470E2
                                            • Failed to initialize Regutil., xrefs: 00046F8F
                                            • Failed to initialize COM., xrefs: 00046F57
                                            • Failed to run untrusted mode., xrefs: 0004717C
                                            • Failed to get OS info., xrefs: 00047015
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorInitializeLast$AddressArgvCommandCriticalHandleLineModuleProcSectionUninitializeVersion
                                            • String ID: 3.14.1.8722$Failed to get OS info.$Failed to initialize COM.$Failed to initialize Cryputil.$Failed to initialize Regutil.$Failed to initialize Wiutil.$Failed to initialize XML util.$Failed to initialize core.$Failed to initialize engine state.$Failed to parse command line.$Failed to run RunOnce mode.$Failed to run embedded mode.$Failed to run per-machine mode.$Failed to run per-user mode.$Failed to run untrusted mode.$Invalid run mode.$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp$
                                            • API String ID: 3262001429-808583736
                                            • Opcode ID: a1f2b4de64d2fd013780b92a2e4bd84f0bc0a45e57fba75b8d08126b43f2709c
                                            • Instruction ID: 0e29605018445368f1efd0715b278f5bbdc8d193d59df282a37744c77fab3a11
                                            • Opcode Fuzzy Hash: a1f2b4de64d2fd013780b92a2e4bd84f0bc0a45e57fba75b8d08126b43f2709c
                                            • Instruction Fuzzy Hash: E2B1E7B1D04628ABDB32AF64CD46BEE76B4BB05311F0000B5F94CB6252DB719E84CF99
                                            Function 00046A03 Relevance: 38.7, APIs: 6, Strings: 16, Instructions: 219COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 880 46a03-46a4b call 70ec0 call 44e3a 885 46a4d-46a5a call 853e7 880->885 886 46a5f-46a69 call 5b554 880->886 893 46bfb-46c05 885->893 891 46a72-46a81 call 5b55a 886->891 892 46a6b-46a70 886->892 900 46a86-46a8a 891->900 896 46aa7-46ac2 call 429f6 892->896 894 46c07-46c0c CloseHandle 893->894 895 46c10-46c14 893->895 894->895 898 46c16-46c1b CloseHandle 895->898 899 46c1f-46c23 895->899 910 46ac4-46ac9 896->910 911 46acb-46adf call 5868d 896->911 898->899 902 46c25-46c2a CloseHandle 899->902 903 46c2e-46c30 899->903 904 46aa1-46aa4 900->904 905 46a8c 900->905 902->903 908 46c35-46c49 call 43251 * 2 903->908 909 46c32-46c33 CloseHandle 903->909 904->896 907 46a91-46a9c call 853e7 905->907 907->893 926 46c53-46c57 908->926 927 46c4b-46c4e call 43136 908->927 909->908 910->907 918 46ae1 911->918 919 46af9-46b0d call 58747 911->919 921 46ae6 918->921 929 46b16-46b31 call 42a38 919->929 930 46b0f-46b14 919->930 924 46aeb-46af4 call 853e7 921->924 937 46bf8 924->937 932 46c61-46c67 926->932 933 46c59-46c5c call 43136 926->933 927->926 939 46b33-46b38 929->939 940 46b3d-46b56 call 42a38 929->940 930->921 933->932 937->893 939->907 943 46b62-46b8e CreateProcessW 940->943 944 46b58-46b5d 940->944 945 46b90-46b9a GetLastError 943->945 946 46bcb-46be1 call 85c34 943->946 944->907 947 46ba7 945->947 948 46b9c-46ba5 945->948 952 46be6-46bea 946->952 950 46bae-46bc6 call 413b3 947->950 951 46ba9 947->951 948->947 950->924 951->950 952->893 954 46bec-46bf3 call 853e7 952->954 954->937
                                            APIs
                                              • Part of subcall function 00044E3A: GetModuleFileNameW.KERNEL32(?,?,00000104,?,00000104,?,?,?,?,0004114E,?,00000000), ref: 00044E5B
                                            • CloseHandle.KERNEL32(00000000,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00046C0A
                                            • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00046C19
                                            • CloseHandle.KERNEL32(000000FF,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00046C28
                                            • CloseHandle.KERNEL32(?,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 00046C33
                                            Strings
                                            • -%ls="%ls", xrefs: 00046AB0
                                            • burn.clean.room, xrefs: 00046AA8
                                            • Failed to get path for current process., xrefs: 00046A4D
                                            • Failed to cache to clean room., xrefs: 00046A8C
                                            • Failed to append original command line., xrefs: 00046B33
                                            • Failed to launch clean room process: %ls, xrefs: 00046BC1
                                            • c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp, xrefs: 00046BB4
                                            • burn.filehandle.self, xrefs: 00046B0F
                                            • Failed to append %ls, xrefs: 00046AE6
                                            • burn.filehandle.attached, xrefs: 00046AE1
                                            • %ls %ls, xrefs: 00046B1F
                                            • Failed to allocate full command-line., xrefs: 00046B58
                                            • Failed to wait for clean room process: %ls, xrefs: 00046BED
                                            • "%ls" %ls, xrefs: 00046B44
                                            • D, xrefs: 00046B73
                                            • Failed to allocate parameters for unelevated process., xrefs: 00046AC4
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseHandle$FileModuleName
                                            • String ID: "%ls" %ls$%ls %ls$-%ls="%ls"$D$Failed to allocate full command-line.$Failed to allocate parameters for unelevated process.$Failed to append %ls$Failed to append original command line.$Failed to cache to clean room.$Failed to get path for current process.$Failed to launch clean room process: %ls$Failed to wait for clean room process: %ls$burn.clean.room$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp
                                            • API String ID: 3884789274-309622507
                                            • Opcode ID: ba992034ea8b76a2c276929bdf35673868824a98db940fb83ae209745f6b6a20
                                            • Instruction ID: 958362fe9303f50a3cfec3a7bf70ddd206324f30b600df56be4a37ea5de9da6e
                                            • Opcode Fuzzy Hash: ba992034ea8b76a2c276929bdf35673868824a98db940fb83ae209745f6b6a20
                                            • Instruction Fuzzy Hash: 9271D6B2D00669BBCF21AA94CC81DEFBBB8FF05710F104121FE50B6191E7719A458BD6
                                            Function 0005916B Relevance: 37.0, APIs: 1, Strings: 20, Instructions: 290COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 957 5916b-591b0 call 70ec0 call 49322 962 591b2-591b7 957->962 963 591bc-591cd call 4e107 957->963 964 59455-5945c call 853e7 962->964 969 591cf-591d4 963->969 970 591d9-591ea call 4df6e 963->970 971 5945d-59462 964->971 969->964 979 591f6-5920b call 4e1c6 970->979 980 591ec-591f1 970->980 973 59464-59465 call 43136 971->973 974 5946a-5946e 971->974 973->974 977 59470-59473 call 43136 974->977 978 59478-5947d 974->978 977->978 982 59485-59492 call 4debd 978->982 983 5947f-59480 call 43136 978->983 989 59217-59227 call 6db17 979->989 990 5920d-59212 979->990 980->964 991 59494-59497 call 43136 982->991 992 5949c-594a0 982->992 983->982 998 59233-592a6 call 578e6 989->998 999 59229-5922e 989->999 990->964 991->992 996 594a2-594a5 call 43136 992->996 997 594aa-594ae 992->997 996->997 1001 594b0-594b3 call 451ae 997->1001 1002 594b8-594be 997->1002 1006 592b2-592b7 998->1006 1007 592a8-592ad 998->1007 999->964 1001->1002 1008 592be-592d9 call 472c6 GetCurrentProcess call 85a1f 1006->1008 1009 592b9 1006->1009 1007->964 1013 592de-592f5 call 49fb1 1008->1013 1009->1008 1016 592f7 1013->1016 1017 5930f-59326 call 49fb1 1013->1017 1018 592fc-5930a call 853e7 1016->1018 1023 5932f-59334 1017->1023 1024 59328-5932d 1017->1024 1018->971 1025 59336-59348 call 49f57 1023->1025 1026 59390-59395 1023->1026 1024->1018 1036 59354-59364 call 44ea9 1025->1036 1037 5934a-5934f 1025->1037 1027 593b5-593be 1026->1027 1028 59397-593a9 call 49f57 1026->1028 1031 593c0-593c3 1027->1031 1032 593ca-593de call 5c20f 1027->1032 1028->1027 1040 593ab-593b0 1028->1040 1031->1032 1035 593c5-593c8 1031->1035 1044 593e7 1032->1044 1045 593e0-593e5 1032->1045 1035->1032 1041 593ed-593f0 1035->1041 1048 59366-5936b 1036->1048 1049 59370-59384 call 49f57 1036->1049 1037->964 1040->964 1046 593f7-5940d call 4f289 1041->1046 1047 593f2-593f5 1041->1047 1044->1041 1045->964 1054 59416-5942e call 4e8bf 1046->1054 1055 5940f-59414 1046->1055 1047->971 1047->1046 1048->964 1049->1026 1056 59386-5938b 1049->1056 1059 59437-5944e call 4e5e2 1054->1059 1060 59430-59435 1054->1060 1055->964 1056->964 1059->971 1063 59450 1059->1063 1060->964 1063->964
                                            Strings
                                            • Failed to load catalog files., xrefs: 00059450
                                            • Failed to parse command line., xrefs: 000592A8
                                            • Failed to set original source variable., xrefs: 000593AB
                                            • Failed to set source process folder variable., xrefs: 00059386
                                            • Failed to initialize internal cache functionality., xrefs: 000593E0
                                            • Failed to open manifest stream., xrefs: 000591EC
                                            • Failed to load manifest., xrefs: 00059229
                                            • Failed to get source process folder from path., xrefs: 00059366
                                            • WixBundleOriginalSource, xrefs: 0005939A
                                            • Failed to overwrite the %ls built-in variable., xrefs: 000592FC
                                            • Failed to set source process path variable., xrefs: 0005934A
                                            • Failed to get manifest stream from container., xrefs: 0005920D
                                            • WixBundleUILevel, xrefs: 00059317, 00059328
                                            • Failed to open attached UX container., xrefs: 000591CF
                                            • Failed to extract bootstrapper application payloads., xrefs: 00059430
                                            • WixBundleSourceProcessFolder, xrefs: 00059375
                                            • Failed to get unique temporary folder for bootstrapper application., xrefs: 0005940F
                                            • WixBundleSourceProcessPath, xrefs: 00059339
                                            • Failed to initialize variables., xrefs: 000591B2
                                            • WixBundleElevated, xrefs: 000592E6, 000592F7
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalInitializeSection
                                            • String ID: Failed to extract bootstrapper application payloads.$Failed to get manifest stream from container.$Failed to get source process folder from path.$Failed to get unique temporary folder for bootstrapper application.$Failed to initialize internal cache functionality.$Failed to initialize variables.$Failed to load catalog files.$Failed to load manifest.$Failed to open attached UX container.$Failed to open manifest stream.$Failed to overwrite the %ls built-in variable.$Failed to parse command line.$Failed to set original source variable.$Failed to set source process folder variable.$Failed to set source process path variable.$WixBundleElevated$WixBundleOriginalSource$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleUILevel
                                            • API String ID: 32694325-1564579409
                                            • Opcode ID: 0ae48b323cbc1d6f0b728a32a1d9967890bbb99120f24bc8100d717edf75c838
                                            • Instruction ID: 11fb60916ad5385075f412f63f7829d2649f70c4abd0b77aef47bd99f2719cd0
                                            • Opcode Fuzzy Hash: 0ae48b323cbc1d6f0b728a32a1d9967890bbb99120f24bc8100d717edf75c838
                                            • Instruction Fuzzy Hash: D3A19972E4065AFBDB229AA4CC45EEFB7ACBB04701F014226FA05F7141D774EE488B94
                                            Function 0005A32E Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 208fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1169 5a32e-5a37c CreateFileW 1170 5a3c2-5a3d2 call 43fe8 1169->1170 1171 5a37e-5a388 GetLastError 1169->1171 1178 5a3d4-5a3e5 call 853e7 1170->1178 1179 5a3ea-5a3fe call 435c3 1170->1179 1172 5a395 1171->1172 1173 5a38a-5a393 1171->1173 1175 5a397 1172->1175 1176 5a39c-5a3bd call 413b3 call 853e7 1172->1176 1173->1172 1175->1176 1191 5a566-5a576 call 70093 1176->1191 1187 5a55f-5a560 CloseHandle 1178->1187 1188 5a400-5a414 call 853e7 1179->1188 1189 5a419-5a41e 1179->1189 1187->1191 1188->1187 1189->1187 1193 5a424-5a433 SetFilePointerEx 1189->1193 1196 5a435-5a43f GetLastError 1193->1196 1197 5a46d-5a47d call 4450a 1193->1197 1200 5a441-5a44a 1196->1200 1201 5a44c 1196->1201 1206 5a47f-5a484 1197->1206 1207 5a489-5a49a SetFilePointerEx 1197->1207 1200->1201 1203 5a453-5a468 call 413b3 1201->1203 1204 5a44e 1201->1204 1209 5a557-5a55e call 853e7 1203->1209 1204->1203 1206->1209 1210 5a4d4-5a4e4 call 4450a 1207->1210 1211 5a49c-5a4a6 GetLastError 1207->1211 1209->1187 1210->1206 1220 5a4e6-5a4f6 call 4450a 1210->1220 1213 5a4b3 1211->1213 1214 5a4a8-5a4b1 1211->1214 1218 5a4b5 1213->1218 1219 5a4ba-5a4cf call 413b3 1213->1219 1214->1213 1218->1219 1219->1209 1220->1206 1225 5a4f8-5a509 SetFilePointerEx 1220->1225 1226 5a540-5a547 call 4450a 1225->1226 1227 5a50b-5a515 GetLastError 1225->1227 1233 5a54c-5a550 1226->1233 1228 5a517-5a520 1227->1228 1229 5a522 1227->1229 1228->1229 1231 5a524 1229->1231 1232 5a529-5a53e call 413b3 1229->1232 1231->1232 1232->1209 1233->1187 1235 5a552 1233->1235 1235->1209
                                            APIs
                                            • CreateFileW.KERNELBASE(00000000,40000000,00000005,00000000,00000002,08000080,00000000,?,00000000,00000000,00046A86,?,?,00000000,00046A86,00000000), ref: 0005A371
                                            • GetLastError.KERNEL32 ref: 0005A37E
                                              • Part of subcall function 000435C3: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00043659
                                            • SetFilePointerEx.KERNELBASE(00000000,0008E4B8,00000000,00000000,00000000,?,00000000,0008E500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0005A42B
                                            • GetLastError.KERNEL32 ref: 0005A435
                                            • CloseHandle.KERNELBASE(00000000,?,00000000,0008E500,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0005A560
                                            Strings
                                            • msi.dll, xrefs: 0005A472
                                            • Failed to seek to checksum in exe header., xrefs: 0005A463
                                            • Failed to create engine file at path: %ls, xrefs: 0005A3AF
                                            • Failed to seek to signature table in exe header., xrefs: 0005A4CA
                                            • Failed to update signature offset., xrefs: 0005A47F
                                            • Failed to seek to original data in exe burn section header., xrefs: 0005A539
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 0005A3A2, 0005A459, 0005A4C0, 0005A52F
                                            • cabinet.dll, xrefs: 0005A4D9
                                            • Failed to copy engine from: %ls to: %ls, xrefs: 0005A406
                                            • Failed to zero out original data offset., xrefs: 0005A552
                                            • Failed to seek to beginning of engine file: %ls, xrefs: 0005A3D7
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: File$ErrorLast$CloseCreateHandlePointerRead
                                            • String ID: Failed to copy engine from: %ls to: %ls$Failed to create engine file at path: %ls$Failed to seek to beginning of engine file: %ls$Failed to seek to checksum in exe header.$Failed to seek to original data in exe burn section header.$Failed to seek to signature table in exe header.$Failed to update signature offset.$Failed to zero out original data offset.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp$cabinet.dll$msi.dll
                                            • API String ID: 3456208997-1085769834
                                            • Opcode ID: c6bbbec18f0596171b6995ba0e377e080f9eefd6d6222f34a89c997044767b43
                                            • Instruction ID: 5836aabb14ffda47186c603025bdb47aadeb76b2f3e709bd50b10daf9a9f4f52
                                            • Opcode Fuzzy Hash: c6bbbec18f0596171b6995ba0e377e080f9eefd6d6222f34a89c997044767b43
                                            • Instruction Fuzzy Hash: DA51B972F41A317BEB115AA49C4AFBF3698EF06B11F010224FE40FB182E665DD0457E6
                                            Function 00049322 Relevance: 34.9, APIs: 1, Strings: 22, Instructions: 430COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1237 49322-49c1d InitializeCriticalSection 1238 49c20-49c44 call 472e7 1237->1238 1241 49c46-49c4d 1238->1241 1242 49c51-49c62 call 853e7 1238->1242 1241->1238 1243 49c4f 1241->1243 1245 49c65-49c75 call 70093 1242->1245 1243->1245
                                            APIs
                                            • InitializeCriticalSection.KERNEL32(000591AC,00047083,00000000,0004710B), ref: 00049342
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalInitializeSection
                                            • String ID: #$$$'$0$Date$Failed to add built-in variable: %ls.$InstallerName$InstallerVersion$LogonUser$WixBundleAction$WixBundleActiveParent$WixBundleElevated$WixBundleExecutePackageAction$WixBundleExecutePackageCacheFolder$WixBundleForcedRestartPackage$WixBundleInstalled$WixBundleProviderKey$WixBundleSourceProcessFolder$WixBundleSourceProcessPath$WixBundleTag$WixBundleUILevel$WixBundleVersion
                                            • API String ID: 32694325-3635313340
                                            • Opcode ID: 82518269cbf04b5af690fdcba91309f1d4c086080702df14bf3572cf366844ef
                                            • Instruction ID: a88663ba88b6fd8480a46dc4ef89f5bf3f06c32f4da73857a318dfcd321fe101
                                            • Opcode Fuzzy Hash: 82518269cbf04b5af690fdcba91309f1d4c086080702df14bf3572cf366844ef
                                            • Instruction Fuzzy Hash: 5D4257B0C156299FDB65DF6AC9887DDFAB4BB48304F9081EED64CA6210C7B40B888F45
                                            Function 00059EF0 Relevance: 31.7, APIs: 7, Strings: 11, Instructions: 161COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1249 59ef0-59f42 call 70ec0 1252 5a0d1-5a0e3 call 42c72 1249->1252 1253 59f48-59f56 GetCurrentProcess call 85a1f 1249->1253 1258 5a0e5 1252->1258 1259 5a0ef-5a0f1 1252->1259 1257 59f5b-59f68 1253->1257 1260 59f6e-59f7d GetWindowsDirectoryW 1257->1260 1261 59ff8-5a006 GetTempPathW 1257->1261 1258->1259 1262 5a0f3-5a0f8 1259->1262 1263 5a0fa-5a10a call 70093 1259->1263 1264 59fbf-59fd0 call 44df4 1260->1264 1265 59f7f-59f89 GetLastError 1260->1265 1266 5a040-5a052 UuidCreate 1261->1266 1267 5a008-5a012 GetLastError 1261->1267 1262->1263 1287 59fd2-59fd7 1264->1287 1288 59fd9-59fef call 41225 1264->1288 1272 59f96 1265->1272 1273 59f8b-59f94 1265->1273 1269 5a054-5a059 1266->1269 1270 5a05e-5a073 StringFromGUID2 1266->1270 1274 5a014-5a01d 1267->1274 1275 5a01f 1267->1275 1277 59fb2-59fba call 853e7 1269->1277 1278 5a075-5a08f call 413b3 1270->1278 1279 5a094-5a0b5 call 429f6 1270->1279 1281 59f9d-59fad call 413b3 1272->1281 1282 59f98 1272->1282 1273->1272 1274->1275 1283 5a026-5a03b call 413b3 1275->1283 1284 5a021 1275->1284 1277->1263 1278->1277 1299 5a0b7 1279->1299 1300 5a0c1-5a0cc 1279->1300 1281->1277 1282->1281 1283->1277 1284->1283 1287->1277 1288->1266 1301 59ff1-59ff6 1288->1301 1299->1300 1300->1252 1301->1277
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000000), ref: 00059F4F
                                              • Part of subcall function 00085A1F: OpenProcessToken.ADVAPI32(?,00000008,?,00047083,00000000,?,?,?,?,?,?,?,000592DE,00000000), ref: 00085A3D
                                              • Part of subcall function 00085A1F: GetLastError.KERNEL32(?,?,?,?,?,?,?,000592DE,00000000), ref: 00085A47
                                              • Part of subcall function 00085A1F: CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000592DE,00000000), ref: 00085AD1
                                            • GetWindowsDirectoryW.KERNEL32(?,00000104,00000000), ref: 00059F75
                                            • GetLastError.KERNEL32 ref: 00059F7F
                                            • GetTempPathW.KERNEL32(00000104,?,00000000), ref: 00059FFE
                                            • GetLastError.KERNEL32 ref: 0005A008
                                            • UuidCreate.RPCRT4(?), ref: 0005A047
                                            • StringFromGUID2.OLE32(?,?,00000027), ref: 0005A06B
                                            Strings
                                            • Failed to get temp path for working folder., xrefs: 0005A036
                                            • Failed to get windows path for working folder., xrefs: 00059FAD
                                            • Failed to convert working folder guid into string., xrefs: 0005A08A
                                            • %ls%ls\, xrefs: 0005A09F
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 00059FA3, 0005A02C, 0005A080
                                            • Failed to create working folder guid., xrefs: 0005A054
                                            • Failed to append bundle id on to temp path for working folder., xrefs: 0005A0B7
                                            • Failed to concat Temp directory on windows path for working folder., xrefs: 00059FF1
                                            • Failed to ensure windows path for working folder ended in backslash., xrefs: 00059FD2
                                            • Failed to copy working folder path., xrefs: 0005A0E5
                                            • Temp\, xrefs: 00059FD9
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Process$CloseCreateCurrentDirectoryFromHandleOpenPathStringTempTokenUuidWindows
                                            • String ID: %ls%ls\$Failed to append bundle id on to temp path for working folder.$Failed to concat Temp directory on windows path for working folder.$Failed to convert working folder guid into string.$Failed to copy working folder path.$Failed to create working folder guid.$Failed to ensure windows path for working folder ended in backslash.$Failed to get temp path for working folder.$Failed to get windows path for working folder.$Temp\$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                            • API String ID: 2129574491-2527715341
                                            • Opcode ID: 2fd353f9b6f22318e9c7e2b2c3df08a3dd675f5cd38b5bb613a676544d70cb18
                                            • Instruction ID: a094f1cf9d41f822629220d03f23d2476f03d3ad80332923b430187581e6d8d1
                                            • Opcode Fuzzy Hash: 2fd353f9b6f22318e9c7e2b2c3df08a3dd675f5cd38b5bb613a676544d70cb18
                                            • Instruction Fuzzy Hash: 6451F772F44724ABDF309AA4CC4DBDF73A86B05712F104265FE05FB181E6789D484BA2
                                            Function 00062CCA Relevance: 30.0, APIs: 8, Strings: 9, Instructions: 216COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1302 62cca-62cf6 CoInitializeEx 1303 62d0a-62d55 call 8463a 1302->1303 1304 62cf8-62d05 call 853e7 1302->1304 1310 62d57-62d7a call 413b3 call 853e7 1303->1310 1311 62d7f-62da1 call 8465b 1303->1311 1309 62f6d-62f7d call 70093 1304->1309 1330 62f66-62f67 CoUninitialize 1310->1330 1319 62da7-62daf 1311->1319 1320 62e5b-62e66 SetEvent 1311->1320 1324 62db5-62dbb 1319->1324 1325 62f5e-62f61 call 8466b 1319->1325 1321 62ea5-62eb3 WaitForSingleObject 1320->1321 1322 62e68-62e72 GetLastError 1320->1322 1326 62ee7-62ef2 ResetEvent 1321->1326 1327 62eb5-62ebf GetLastError 1321->1327 1328 62e74-62e7d 1322->1328 1329 62e7f 1322->1329 1324->1325 1332 62dc1-62dc9 1324->1332 1325->1330 1335 62ef4-62efe GetLastError 1326->1335 1336 62f29-62f2f 1326->1336 1333 62ec1-62eca 1327->1333 1334 62ecc 1327->1334 1328->1329 1337 62e83-62e93 call 413b3 1329->1337 1338 62e81 1329->1338 1330->1309 1339 62e43-62e56 call 853e7 1332->1339 1340 62dcb-62dcd 1332->1340 1333->1334 1344 62ed0-62ee5 call 413b3 1334->1344 1345 62ece 1334->1345 1346 62f00-62f09 1335->1346 1347 62f0b 1335->1347 1341 62f31-62f34 1336->1341 1342 62f59 1336->1342 1377 62e98-62ea0 call 853e7 1337->1377 1338->1337 1339->1325 1349 62de0-62de3 1340->1349 1350 62dcf 1340->1350 1353 62f36-62f50 call 413b3 1341->1353 1354 62f55-62f57 1341->1354 1342->1325 1344->1377 1345->1344 1346->1347 1359 62f0f-62f24 call 413b3 1347->1359 1360 62f0d 1347->1360 1355 62de5 1349->1355 1356 62e3d 1349->1356 1351 62dd5-62dde 1350->1351 1352 62dd1-62dd3 1350->1352 1362 62e3f-62e41 1351->1362 1352->1362 1353->1377 1354->1325 1364 62e16-62e1b 1355->1364 1365 62e24-62e29 1355->1365 1366 62e32-62e37 1355->1366 1367 62df3-62df8 1355->1367 1368 62e01-62e06 1355->1368 1369 62e0f-62e14 1355->1369 1370 62dec-62df1 1355->1370 1371 62e1d-62e22 1355->1371 1372 62dfa-62dff 1355->1372 1373 62e2b-62e30 1355->1373 1374 62e08-62e0d 1355->1374 1375 62e39-62e3b 1355->1375 1356->1362 1359->1377 1360->1359 1362->1320 1362->1339 1364->1339 1365->1339 1366->1339 1367->1339 1368->1339 1369->1339 1370->1339 1371->1339 1372->1339 1373->1339 1374->1339 1375->1339 1377->1325
                                            APIs
                                            • CoInitializeEx.OLE32(00000000,00000000), ref: 00062CEC
                                            • CoUninitialize.COMBASE ref: 00062F67
                                            Strings
                                            • Failed to set operation complete event., xrefs: 00062E93
                                            • Failed to reset begin operation event., xrefs: 00062F1F
                                            • Invalid operation for this state., xrefs: 00062F4B
                                            • <the>.cab, xrefs: 00062D8C
                                            • Failed to extract all files from container, erf: %d:%X:%d, xrefs: 00062E48
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00062D62, 00062E89, 00062ED6, 00062F15, 00062F41
                                            • Failed to initialize cabinet.dll., xrefs: 00062D6E
                                            • Failed to initialize COM., xrefs: 00062CF8
                                            • Failed to wait for begin operation event., xrefs: 00062EE0
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: InitializeUninitialize
                                            • String ID: <the>.cab$Failed to extract all files from container, erf: %d:%X:%d$Failed to initialize COM.$Failed to initialize cabinet.dll.$Failed to reset begin operation event.$Failed to set operation complete event.$Failed to wait for begin operation event.$Invalid operation for this state.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 3442037557-1413192050
                                            • Opcode ID: 22c6ba2e6c0beebf9751c28c18a259a98a3abcb534108891c68c1f850f70481d
                                            • Instruction ID: 67f77921d8e46060c5874c81e226dd19884187294cfaa65d77170e2cdc0dc3db
                                            • Opcode Fuzzy Hash: 22c6ba2e6c0beebf9751c28c18a259a98a3abcb534108891c68c1f850f70481d
                                            • Instruction Fuzzy Hash: 07518D33D44E72E7D7306754CC46FAE27A6AB40B20B260335FE01BF291D66A8D0097E5
                                            Function 00045FAF Relevance: 28.2, APIs: 10, Strings: 6, Instructions: 157stringCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1383 45faf-46006 InitializeCriticalSection * 2 call 569c1 * 2 1388 4600c 1383->1388 1389 4612a-46134 call 4d197 1383->1389 1390 46012-4601f 1388->1390 1394 46139-4613d 1389->1394 1392 46025-46051 lstrlenW * 2 CompareStringW 1390->1392 1393 4611d-46124 1390->1393 1395 460a3-460cf lstrlenW * 2 CompareStringW 1392->1395 1396 46053-46076 lstrlenW 1392->1396 1393->1389 1393->1390 1397 4614c-46152 1394->1397 1398 4613f-4614b call 853e7 1394->1398 1395->1393 1399 460d1-460f4 lstrlenW 1395->1399 1400 46160-46175 call 413b3 1396->1400 1401 4607c-46081 1396->1401 1398->1397 1404 4618c-461a6 call 413b3 1399->1404 1405 460fa-460ff 1399->1405 1412 4617a-46181 1400->1412 1401->1400 1406 46087-46097 call 43493 1401->1406 1404->1412 1405->1404 1409 46105-46115 call 43493 1405->1409 1418 46155-4615e 1406->1418 1419 4609d 1406->1419 1409->1418 1421 46117 1409->1421 1416 46182-4618a call 853e7 1412->1416 1416->1397 1418->1416 1419->1395 1421->1393
                                            APIs
                                            • InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,?,?,00046F2C,?,?,00000000,?,?), ref: 00045FDB
                                            • InitializeCriticalSection.KERNEL32(000000D0,?,?,00046F2C,?,?,00000000,?,?), ref: 00045FE4
                                            • lstrlenW.KERNEL32(burn.filehandle.attached,000004B8,000004A0,?,?,00046F2C,?,?,00000000,?,?), ref: 0004602A
                                            • lstrlenW.KERNEL32(burn.filehandle.attached,burn.filehandle.attached,00000000,?,?,00046F2C,?,?,00000000,?,?), ref: 00046034
                                            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00046F2C,?,?,00000000,?,?), ref: 00046048
                                            • lstrlenW.KERNEL32(burn.filehandle.attached,?,?,00046F2C,?,?,00000000,?,?), ref: 00046058
                                            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00046F2C,?,?,00000000,?,?), ref: 000460A8
                                            • lstrlenW.KERNEL32(burn.filehandle.self,burn.filehandle.self,00000000,?,?,00046F2C,?,?,00000000,?,?), ref: 000460B2
                                            • CompareStringW.KERNEL32(0000007F,00000001,?,00000000,?,?,00046F2C,?,?,00000000,?,?), ref: 000460C6
                                            • lstrlenW.KERNEL32(burn.filehandle.self,?,?,00046F2C,?,?,00000000,?,?), ref: 000460D6
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: lstrlen$CompareCriticalInitializeSectionString
                                            • String ID: Failed to initialize engine section.$Failed to parse file handle: '%ls'$Missing required parameter for switch: %ls$burn.filehandle.attached$burn.filehandle.self$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp
                                            • API String ID: 3039292287-4012780215
                                            • Opcode ID: 069b698702e15cb39e7f7fb98e4c3eb42c28e8923e17835fbc9ab6f2536be220
                                            • Instruction ID: 3fe37b03a1cdd93665a39dc5c9a4e88acbef8c14627fc5796690bd3b274de747
                                            • Opcode Fuzzy Hash: 069b698702e15cb39e7f7fb98e4c3eb42c28e8923e17835fbc9ab6f2536be220
                                            • Instruction Fuzzy Hash: D75117B1A00255BFD724AF68CC46F9B7768FF02B60F000126F655DB1A1EBB1B900CBA5
                                            Function 0004DF8F Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 131fileCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1423 4df8f-4dfc1 1424 4dfc3-4dfe1 CreateFileW 1423->1424 1425 4e02b-4e047 GetCurrentProcess * 2 DuplicateHandle 1423->1425 1428 4dfe7-4dff1 GetLastError 1424->1428 1429 4e083-4e089 1424->1429 1426 4e081 1425->1426 1427 4e049-4e053 GetLastError 1425->1427 1426->1429 1434 4e055-4e05e 1427->1434 1435 4e060 1427->1435 1430 4dff3-4dffc 1428->1430 1431 4dffe 1428->1431 1432 4e093 1429->1432 1433 4e08b-4e091 1429->1433 1430->1431 1436 4e005-4e018 call 413b3 1431->1436 1437 4e000 1431->1437 1438 4e095-4e0a3 SetFilePointerEx 1432->1438 1433->1438 1434->1435 1439 4e067-4e07f call 413b3 1435->1439 1440 4e062 1435->1440 1451 4e01d-4e026 call 853e7 1436->1451 1437->1436 1442 4e0a5-4e0af GetLastError 1438->1442 1443 4e0da-4e0e0 1438->1443 1439->1451 1440->1439 1447 4e0b1-4e0ba 1442->1447 1448 4e0bc 1442->1448 1449 4e0e2-4e0e6 call 6330d 1443->1449 1450 4e0fe-4e104 1443->1450 1447->1448 1452 4e0c3-4e0d8 call 413b3 1448->1452 1453 4e0be 1448->1453 1455 4e0eb-4e0ef 1449->1455 1451->1450 1461 4e0f6-4e0fd call 853e7 1452->1461 1453->1452 1455->1450 1458 4e0f1 1455->1458 1458->1461 1461->1450
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,08000080,00000000,?,00000000,00000000,?,0004E17F,000470CB,?,?,0004710B), ref: 0004DFD6
                                            • GetLastError.KERNEL32(?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?,00000000), ref: 0004DFE7
                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002,?,00000000,00000000,?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?), ref: 0004E036
                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?,00000000), ref: 0004E03C
                                            • DuplicateHandle.KERNELBASE(00000000,?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?,00000000), ref: 0004E03F
                                            • GetLastError.KERNEL32(?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?,00000000), ref: 0004E049
                                            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,00000000,00000000,?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?,00000000), ref: 0004E09B
                                            • GetLastError.KERNEL32(?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?,00000000), ref: 0004E0A5
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CurrentFileProcess$CreateDuplicateHandlePointer
                                            • String ID: Failed to duplicate handle to container: %ls$Failed to move file pointer to container offset.$Failed to open container.$Failed to open file: %ls$c:\agent\_work\36\s\wix\src\burn\engine\container.cpp$crypt32.dll$feclient.dll
                                            • API String ID: 2619879409-4081371799
                                            • Opcode ID: 09a77c96a1181ade97d29d43331bb6d8ce678604cc703a37f2bfa6d08cc86f9c
                                            • Instruction ID: 09bd80ff0bd5c82ca3d053063c7bc294ff29dfa491863e60ef3dddae2fc71ec7
                                            • Opcode Fuzzy Hash: 09a77c96a1181ade97d29d43331bb6d8ce678604cc703a37f2bfa6d08cc86f9c
                                            • Instruction Fuzzy Hash: 234106B2140291ABDB209F19DD89F5B3BA5FFC0720F214029F9649F282DAB6D8419B74
                                            Function 0008715D Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 78libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 000413CA: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00041409
                                              • Part of subcall function 000413CA: GetLastError.KERNEL32(?,?), ref: 00041413
                                              • Part of subcall function 00044143: GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00044174
                                            • GetProcAddress.KERNEL32(MsiDeterminePatchSequenceW,00000000), ref: 000871A7
                                            • GetProcAddress.KERNEL32(MsiDetermineApplicablePatchesW), ref: 000871C7
                                            • GetProcAddress.KERNEL32(MsiEnumProductsExW), ref: 000871E7
                                            • GetProcAddress.KERNEL32(MsiGetPatchInfoExW), ref: 00087207
                                            • GetProcAddress.KERNEL32(MsiGetProductInfoExW), ref: 00087227
                                            • GetProcAddress.KERNEL32(MsiSetExternalUIRecord), ref: 00087247
                                            • GetProcAddress.KERNEL32(MsiSourceListAddSourceExW), ref: 00087267
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AddressProc$ErrorLast$DirectorySystem
                                            • String ID: Msi.dll$MsiDetermineApplicablePatchesW$MsiDeterminePatchSequenceW$MsiEnumProductsExW$MsiGetPatchInfoExW$MsiGetProductInfoExW$MsiSetExternalUIRecord$MsiSourceListAddSourceExW
                                            • API String ID: 2510051996-1735120554
                                            • Opcode ID: 0ba64f64e21eef56d155fda448a4d4570239993939b0a888e9abffafadb8da57
                                            • Instruction ID: 829f983a88efd5430a07a7a5ad8ded80b36b7a503e400c81f2556a5dc1a352bb
                                            • Opcode Fuzzy Hash: 0ba64f64e21eef56d155fda448a4d4570239993939b0a888e9abffafadb8da57
                                            • Instruction Fuzzy Hash: F431E57194CA16AEFB51AFE4EC15B7D3AE0F703745F10003AE1459A5B0E7BA4892DF84
                                            Function 000876B2 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 152libraryloadercomCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00087C60,00000000,?,00000000), ref: 000876CC
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0006DB3B,?,000470CB,?,00000000,?), ref: 000876D8
                                            • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 00087718
                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00087724
                                            • GetProcAddress.KERNEL32(00000000,Wow64EnableWow64FsRedirection), ref: 0008772F
                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00087739
                                            • CoCreateInstance.OLE32(000AF7E4,00000000,00000001,0008E9F0,?,?,?,?,?,?,?,?,?,?,?,0006DB3B), ref: 00087774
                                            • ExitProcess.KERNEL32 ref: 00087823
                                            Strings
                                            • IsWow64Process, xrefs: 00087712
                                            • kernel32.dll, xrefs: 000876BC
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 000876FC
                                            • Wow64RevertWow64FsRedirection, xrefs: 00087731
                                            • Wow64DisableWow64FsRedirection, xrefs: 0008771E
                                            • Wow64EnableWow64FsRedirection, xrefs: 00087726
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AddressProc$CreateErrorExitHandleInstanceLastModuleProcess
                                            • String ID: IsWow64Process$Wow64DisableWow64FsRedirection$Wow64EnableWow64FsRedirection$Wow64RevertWow64FsRedirection$c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp$kernel32.dll
                                            • API String ID: 2124981135-1982296257
                                            • Opcode ID: 18a940a3f454113e3630eab85b24f41b7b8b9e23eeb00821323479178d1a8653
                                            • Instruction ID: f268273736a7ac4ac1b2b57dbb0e099e6b1c95122a5597de6d394d9c8718a5c8
                                            • Opcode Fuzzy Hash: 18a940a3f454113e3630eab85b24f41b7b8b9e23eeb00821323479178d1a8653
                                            • Instruction Fuzzy Hash: 92419535B08225ABDB60EFA8C848F6E77E4BF45710F214469EA85EB254DB75DD00CB90
                                            Function 0006330D Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,wininet.dll,?,00000000,00000000,00000000,?,?,0004E0EB,?,00000000,?,0004E17F), ref: 00063344
                                            • GetLastError.KERNEL32(?,0004E0EB,?,00000000,?,0004E17F,000470CB,?,?,0004710B,0004710B,00000000,?,00000000), ref: 0006334D
                                            Strings
                                            • Failed to copy file name., xrefs: 0006332F
                                            • Failed to create extraction thread., xrefs: 0006340D
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00063371, 000633B7, 00063403
                                            • Failed to wait for operation complete., xrefs: 00063420
                                            • wininet.dll, xrefs: 00063323
                                            • Failed to create operation complete event., xrefs: 000633C1
                                            • Failed to create begin operation event., xrefs: 0006337B
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CreateErrorEventLast
                                            • String ID: Failed to copy file name.$Failed to create begin operation event.$Failed to create extraction thread.$Failed to create operation complete event.$Failed to wait for operation complete.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp$wininet.dll
                                            • API String ID: 545576003-498445066
                                            • Opcode ID: 8be9468e0420c5d96ef450b9834ac29ca791c60bb6ddde9a88e676c1e1325d65
                                            • Instruction ID: 950c3a80dbaa5b3b08aa5641eae0a66c0e4895e010b07f79fb80189629d1f37e
                                            • Opcode Fuzzy Hash: 8be9468e0420c5d96ef450b9834ac29ca791c60bb6ddde9a88e676c1e1325d65
                                            • Instruction Fuzzy Hash: E321F973D40B7677F62156648D4AE6BA59DBF40BA0B014225BE40BF381EE64EF4046F1
                                            Function 00084E59 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 76libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNELBASE(SystemFunction040,AdvApi32.dll), ref: 00084E81
                                            • GetProcAddress.KERNEL32(SystemFunction041), ref: 00084E93
                                            • GetProcAddress.KERNEL32(CryptProtectMemory,Crypt32.dll), ref: 00084ED6
                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00084EEA
                                            • GetProcAddress.KERNEL32(CryptUnprotectMemory), ref: 00084F22
                                            • GetLastError.KERNEL32(?,?,?,?,?,?), ref: 00084F36
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AddressProc$ErrorLast
                                            • String ID: AdvApi32.dll$Crypt32.dll$CryptProtectMemory$CryptUnprotectMemory$SystemFunction040$SystemFunction041$c:\agent\_work\36\s\wix\src\libs\dutil\cryputil.cpp
                                            • API String ID: 4214558900-626015102
                                            • Opcode ID: 62ecfbc08c9454f1b79aeba3fd32a12e7bd6d4a2b0576a7d2276264f65c94aea
                                            • Instruction ID: 1afe4d21687b05b2835f42a338d86c179370fff559ff6e0d613ff60271222f03
                                            • Opcode Fuzzy Hash: 62ecfbc08c9454f1b79aeba3fd32a12e7bd6d4a2b0576a7d2276264f65c94aea
                                            • Instruction Fuzzy Hash: 2F21C836945B33A7E721B7D49D4876E39D0FB52751F020134EF80AE253E7789C409B80
                                            Function 0006249B Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 105fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringA.KERNELBASE(00000000,00000000,<the>.cab,?,?), ref: 000624CB
                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,?), ref: 000624E3
                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?), ref: 000624E8
                                            • DuplicateHandle.KERNELBASE(00000000,?,?), ref: 000624EB
                                            • GetLastError.KERNEL32(?,?), ref: 000624F5
                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,08000080,00000000,?,?), ref: 00062564
                                            • GetLastError.KERNEL32(?,?), ref: 00062571
                                            Strings
                                            • <the>.cab, xrefs: 000624C4
                                            • Failed to open cabinet file: %hs, xrefs: 000625A2
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00062519, 00062595
                                            • Failed to duplicate handle to cab container., xrefs: 00062523
                                            • Failed to add virtual file pointer for cab container., xrefs: 0006254A
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CurrentErrorLastProcess$CompareCreateDuplicateFileHandleString
                                            • String ID: <the>.cab$Failed to add virtual file pointer for cab container.$Failed to duplicate handle to cab container.$Failed to open cabinet file: %hs$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 3030546534-2422751550
                                            • Opcode ID: 952f2ba805b0448cb329e9e2b421014db8b6f41c612c050c2e15ad03f9734798
                                            • Instruction ID: bf92a6d04882b6e6889a97f68ec3ca3bbf7e2273954555f9c7ec74f63975c543
                                            • Opcode Fuzzy Hash: 952f2ba805b0448cb329e9e2b421014db8b6f41c612c050c2e15ad03f9734798
                                            • Instruction Fuzzy Hash: 7631DE72941D35BBEB319B54CD59E8A7AA9FF04B61F110111FE01BB290E674AE009BE0
                                            Function 0005868D Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 68COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(000000FF,00000000,00000001,00000002,?,00000000,?,?,00046ADB,?,?), ref: 000586AD
                                            • GetCurrentProcess.KERNEL32(?,00000000,?,?,00046ADB,?,?), ref: 000586B3
                                            • DuplicateHandle.KERNELBASE(00000000,?,?,00046ADB,?,?), ref: 000586B6
                                            • GetLastError.KERNEL32(?,?,00046ADB,?,?), ref: 000586C0
                                            • CloseHandle.KERNEL32(000000FF,?,00046ADB,?,?), ref: 00058739
                                            Strings
                                            • burn.filehandle.attached, xrefs: 00058706
                                            • Failed to append the file handle to the command line., xrefs: 00058721
                                            • %ls -%ls=%u, xrefs: 0005870D
                                            • Failed to duplicate file handle for attached container., xrefs: 000586EE
                                            • c:\agent\_work\36\s\wix\src\burn\engine\core.cpp, xrefs: 000586E4
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CurrentHandleProcess$CloseDuplicateErrorLast
                                            • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to duplicate file handle for attached container.$burn.filehandle.attached$c:\agent\_work\36\s\wix\src\burn\engine\core.cpp
                                            • API String ID: 4224961946-423936899
                                            • Opcode ID: f7e93ef5e1e7cfe2e59b0261bdc73f38273ebb2848fd9a4b437fac09aaf72313
                                            • Instruction ID: 95d00278896713f14cd00ccfa2c190bc26c87b967a848e17f7095d3611b6e2fc
                                            • Opcode Fuzzy Hash: f7e93ef5e1e7cfe2e59b0261bdc73f38273ebb2848fd9a4b437fac09aaf72313
                                            • Instruction Fuzzy Hash: B3118472A41225B7DB209BA8DD49E8FBBA8AF05771F204211FE50FB2D0DB74DE009791
                                            Function 00087952 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00087968
                                            • SysAllocString.OLEAUT32(?), ref: 00087984
                                            • VariantClear.OLEAUT32(?), ref: 00087A0B
                                            • SysFreeString.OLEAUT32(00000000), ref: 00087A16
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp, xrefs: 0008799B
                                            • `<u, xrefs: 00087A16
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: StringVariant$AllocClearFreeInit
                                            • String ID: `<u$c:\agent\_work\36\s\wix\src\libs\dutil\xmlutil.cpp
                                            • API String ID: 760788290-1674559201
                                            • Opcode ID: db9c70ae8462330519d919035b26b60483bc40835bd576f7934b7196e277dd14
                                            • Instruction ID: b46a8a7832e82b0d31838aeb9d38765bbee1349c424cd5a3549663674f1cf1df
                                            • Opcode Fuzzy Hash: db9c70ae8462330519d919035b26b60483bc40835bd576f7934b7196e277dd14
                                            • Instruction Fuzzy Hash: D821B732904115EFCB11EB54C849EAE7BB8FF85715F250168F9C9AB214DB35DE00CB91
                                            Function 00085A1F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON
                                            Download Yara Rule
                                            APIs
                                            • OpenProcessToken.ADVAPI32(?,00000008,?,00047083,00000000,?,?,?,?,?,?,?,000592DE,00000000), ref: 00085A3D
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,000592DE,00000000), ref: 00085A47
                                            • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),?,00000004,?,?,?,?,?,?,?,?,000592DE,00000000), ref: 00085A79
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,000592DE,00000000), ref: 00085A92
                                            • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,000592DE,00000000), ref: 00085AD1
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00085ABF
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLastToken$CloseHandleInformationOpenProcess
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp
                                            • API String ID: 4040495316-3104418550
                                            • Opcode ID: fb1a5464cc700fc970f5f3d61108866fee772a8ae038023fd547379d0014d6d0
                                            • Instruction ID: ca86b4f33a66576029d49420924502b8c3dafb220b02d6fce6d3e3489cb4b769
                                            • Opcode Fuzzy Hash: fb1a5464cc700fc970f5f3d61108866fee772a8ae038023fd547379d0014d6d0
                                            • Instruction Fuzzy Hash: B7210732D00525EBDB25AB94CCC8A9EBBE8BF10712F054251AD84BB250E2708E00DBD2
                                            Function 00058747 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNELBASE(?,80000000,00000005,?,00000003,00000080,00000000,?,00000000,?,?,?), ref: 0005877B
                                            • CloseHandle.KERNEL32(00000000), ref: 000587EB
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseCreateFileHandle
                                            • String ID: %ls -%ls=%u$Failed to append the file handle to the command line.$Failed to append the file handle to the obfuscated command line.$burn.filehandle.self
                                            • API String ID: 3498533004-3263533295
                                            • Opcode ID: ea60efab82a24a8e925c00f36fce68fd6828342667273598eebf93309a84b170
                                            • Instruction ID: 8e58eb5ae9fdec6cb6c0c79d1d2901e7dae40c12f2a98b4346c85434f2e77a36
                                            • Opcode Fuzzy Hash: ea60efab82a24a8e925c00f36fce68fd6828342667273598eebf93309a84b170
                                            • Instruction Fuzzy Hash: 56110B31A002557BCB216A69CC45F4F3AACAB45B71F208251FD60FB2D1DA7095154755
                                            Function 00044143 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 98memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,00000000,00000000,00000000,00000000,00000001), ref: 00044174
                                            • GlobalAlloc.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000001), ref: 000441A1
                                            • GetLastError.KERNEL32(?,00000000,?,00000000), ref: 000441CD
                                            • GetLastError.KERNEL32(00000000,0008E564,?,00000000,?,00000000,?,00000000), ref: 0004420B
                                            • GlobalFree.KERNEL32(00000000), ref: 0004423C
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$Global$AllocFree
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                            • API String ID: 1145190524-1339450348
                                            • Opcode ID: a6439e3e451195a14e170f860f56a01f299cf6881fd6a29439c7bc380176eb06
                                            • Instruction ID: 33dad7c37623432bed8a79ab34d6416a5b2f409079258998c4e791cbca91cff8
                                            • Opcode Fuzzy Hash: a6439e3e451195a14e170f860f56a01f299cf6881fd6a29439c7bc380176eb06
                                            • Instruction Fuzzy Hash: CB31E0B6940239BBD7219A98CD41BEFBAA8FF54790F114231FD48EB251E630DD4087E4
                                            Function 00062656 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 101COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?), ref: 000626FC
                                            • GetLastError.KERNEL32(?,?,?), ref: 00062706
                                            Strings
                                            • Failed to move file pointer 0x%x bytes., xrefs: 00062737
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 0006272A
                                            • Invalid seek type., xrefs: 00062692
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID: Failed to move file pointer 0x%x bytes.$Invalid seek type.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 2976181284-2134847726
                                            • Opcode ID: 87dd11f2b18d208e59c68ddebcf3fdae7f175f5f5db2e6693786a5fa9c53f761
                                            • Instruction ID: fd92020aad0f8e31991c79fc4c045d0f05d254a7734c0b43ba75d88ec94e71de
                                            • Opcode Fuzzy Hash: 87dd11f2b18d208e59c68ddebcf3fdae7f175f5f5db2e6693786a5fa9c53f761
                                            • Instruction Fuzzy Hash: 21319071A0091AFFDB14DFA8DC85DADB7AAFF04764B048215F9149B651E770EE108B90
                                            Function 00041B27 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateDirectoryW.KERNELBASE(00000000,00047083,00000000,00000000,?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041B35
                                            • GetLastError.KERNEL32(?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041B43
                                            • CreateDirectoryW.KERNEL32(00000000,00047083,00000000,?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041BB3
                                            • GetLastError.KERNEL32(?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041BBD
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp, xrefs: 00041BED
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CreateDirectoryErrorLast
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\dirutil.cpp
                                            • API String ID: 1375471231-3208742346
                                            • Opcode ID: e0750dc2ea9b15338e709e4ddc13fe100f0bb5d0b33adaa6a821baef0649a69a
                                            • Instruction ID: 441348b2b764c9d278117e04097f2e46353e7b3d5bdafcbc67059a4998fa5255
                                            • Opcode Fuzzy Hash: e0750dc2ea9b15338e709e4ddc13fe100f0bb5d0b33adaa6a821baef0649a69a
                                            • Instruction Fuzzy Hash: 8B21F0B6A40271A7EB711AA58C48BFBBA94EF55BA0F114031FD44EB240F7248C8293D9
                                            Function 00085C34 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(000000FF,?,00000000,?,00046BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?), ref: 00085C40
                                            • GetLastError.KERNEL32(?,00046BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00085C4E
                                            • GetExitCodeProcess.KERNELBASE(000000FF,?), ref: 00085C93
                                            • GetLastError.KERNEL32(?,00046BE6,?,000000FF,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 00085C9D
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp, xrefs: 00085C72
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CodeExitObjectProcessSingleWait
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\procutil.cpp
                                            • API String ID: 590199018-3104418550
                                            • Opcode ID: 110a6c55c706100dbac33da3a3f6b801d1f5d599d5f8e872876025e655f76c39
                                            • Instruction ID: 46993fb58cd5066ef89b2164e626fdff95aee2ecb4aae4339dbef68c7dd5cdab
                                            • Opcode Fuzzy Hash: 110a6c55c706100dbac33da3a3f6b801d1f5d599d5f8e872876025e655f76c39
                                            • Instruction Fuzzy Hash: 7601A137940B35AFDB216F948C4869A7F94BB04772F114225FD99AF380D2348D008FD5
                                            Function 00087BBC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • CoInitialize.OLE32(00000000), ref: 00087BCB
                                            • CLSIDFromProgID.COMBASE(Msxml2.DOMDocument,000AF7E4,00000001,00000000,00046FB9,?,?,?,?,?,?), ref: 00087C03
                                            • CLSIDFromProgID.OLE32(MSXML.DOMDocument,000AF7E4,?,?,?,?,?,?), ref: 00087C0F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: FromProg$Initialize
                                            • String ID: MSXML.DOMDocument$Msxml2.DOMDocument
                                            • API String ID: 4047641309-2356320334
                                            • Opcode ID: 16f3025e0d65f0ba8eac59ef95d5ed9f7ca47b0c4881f6348f348a5cbdac721c
                                            • Instruction ID: 43a8537fa7df7015a160a02394fe120c7fc552a96b7e0f30f0d8430d832d196b
                                            • Opcode Fuzzy Hash: 16f3025e0d65f0ba8eac59ef95d5ed9f7ca47b0c4881f6348f348a5cbdac721c
                                            • Instruction Fuzzy Hash: E6F0822174C2325BE3506BE6AC08B6A29A4F783B64F70043AE989D7158D254CCC1CBB0
                                            Function 000625C1 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54fileCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 00062FDB: SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000625F0,?,?,?), ref: 00063003
                                              • Part of subcall function 00062FDB: GetLastError.KERNEL32(?,000625F0,?,?,?), ref: 0006300D
                                            • ReadFile.KERNELBASE(?,?,?,?,00000000,?,?,?), ref: 000625FE
                                            • GetLastError.KERNEL32 ref: 00062608
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 0006262C
                                            • Failed to read during cabinet extraction., xrefs: 00062636
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLast$PointerRead
                                            • String ID: Failed to read during cabinet extraction.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 2170121939-1889023893
                                            • Opcode ID: 26d5b4cb2a48e5a02f3e1f4a94c5a6aa8b5dae07466feb63ab9d120b5af5e22e
                                            • Instruction ID: 73f54e81816c19ad31f712b3819a515a1a704f04e2bcb4a2aa36b9cefb7f3b33
                                            • Opcode Fuzzy Hash: 26d5b4cb2a48e5a02f3e1f4a94c5a6aa8b5dae07466feb63ab9d120b5af5e22e
                                            • Instruction Fuzzy Hash: 0F01C432A40A65BBDB11DFA4DD09D8A7FA9FF04B60F014124FE04AB251D730EE119BE0
                                            Function 00062FDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,?,?,00000000,00000000,?,?,?,00000000,?,000625F0,?,?,?), ref: 00063003
                                            • GetLastError.KERNEL32(?,000625F0,?,?,?), ref: 0006300D
                                            Strings
                                            • Failed to move to virtual file pointer., xrefs: 0006303B
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00063031
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID: Failed to move to virtual file pointer.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 2976181284-1638580159
                                            • Opcode ID: 68fd8b19cf390efb20692dec1f3f6f2d3547e5d1c27342f001cf88eacced6568
                                            • Instruction ID: f724aabcc6ef65c868fa2a654c4f23753464fb4f0f3e0eaf7e292254dff7957f
                                            • Opcode Fuzzy Hash: 68fd8b19cf390efb20692dec1f3f6f2d3547e5d1c27342f001cf88eacced6568
                                            • Instruction Fuzzy Hash: 2701A733500535B7EB215A55DC09A87FF65FF40BB17118125FE185A111D736DE109BD4
                                            Function 000435C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00043659
                                            • GetLastError.KERNEL32 ref: 000436BC
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 000436E0
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastRead
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                            • API String ID: 1948546556-1339450348
                                            • Opcode ID: 185a890eb04965e345e7f49a6c8f11ff70e8763528d3321ca4c3ac4bcce6cae2
                                            • Instruction ID: 568ba237d6b4448f8834e7310d83a03365ce5f5e74c334fd795b5eef68626b75
                                            • Opcode Fuzzy Hash: 185a890eb04965e345e7f49a6c8f11ff70e8763528d3321ca4c3ac4bcce6cae2
                                            • Instruction Fuzzy Hash: AE318FB1A0026AABDB218F14CC507DEB7E4BB08751F0191BAE949E7340D6B4DEC48F98
                                            Function 00046DE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(burn.clean.room,?,?,?,?,00041175,?,?,00000000), ref: 00046E08
                                            • CompareStringW.KERNELBASE(0000007F,00000001,?,0000000F,burn.clean.room,0000000F,?,?,?,?,00041175,?,?,00000000), ref: 00046E38
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CompareStringlstrlen
                                            • String ID: burn.clean.room
                                            • API String ID: 1433953587-3055529264
                                            • Opcode ID: 157cac3cf70fbca014154fe5c52aec27a79d0166278f676659f1d3d485e2a391
                                            • Instruction ID: a3ceb465d608d87b46e24b1f5b2d0ee9f44578daeb0d5e91bc0a049f460df3d6
                                            • Opcode Fuzzy Hash: 157cac3cf70fbca014154fe5c52aec27a79d0166278f676659f1d3d485e2a391
                                            • Instruction Fuzzy Hash: 5F01D1B6511274AAB6208B9AEC88D73BBEDF75BB947104126F506C3620E336AC40C7A5
                                            Function 0004450A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000,00000000,00000000,?,?,?,00043680,?,?,?), ref: 0004452E
                                            • GetLastError.KERNEL32(?,?,00043680,?,?,?), ref: 00044538
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00044561
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastWrite
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                            • API String ID: 442123175-1339450348
                                            • Opcode ID: ea5e522f53607e7f1f2422cdce4009f36d5b041d64e4e96f97693fa56179a89e
                                            • Instruction ID: 7758f96156aadd751aa0f0e9ebcba2eb3a47c4a7ab60914ae98e7b0074298fe6
                                            • Opcode Fuzzy Hash: ea5e522f53607e7f1f2422cdce4009f36d5b041d64e4e96f97693fa56179a89e
                                            • Instruction Fuzzy Hash: 19F081B3A00528BBDB119E99CD49FDFBBADBB40751B010121F944E7141D630EE0087E4
                                            Function 00041070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                            Download Yara Rule
                                            APIs
                                            • ExitProcess.KERNEL32 ref: 000410DA
                                              • Part of subcall function 00041C00: GetFileAttributesW.KERNELBASE(?,00000000,?,0004109F,?,00000000), ref: 00041C09
                                              • Part of subcall function 00043B2C: FindFirstFileW.KERNELBASE(?,?,?,00000000), ref: 00043B67
                                              • Part of subcall function 00043B2C: FindClose.KERNEL32(00000000,?,00000000), ref: 00043B73
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: FileFind$AttributesCloseExitFirstProcess
                                            • String ID: %ls.local$Comctl32.dll
                                            • API String ID: 3456499317-3877841543
                                            • Opcode ID: 848741ff3e78f49735b3280fd57fd92d52070bf1170552d0cc4ecae70d353a94
                                            • Instruction ID: 66eed3d43fdc67ef4e9c163728067dcb46ad64c936611cbe4c530e21c23305cc
                                            • Opcode Fuzzy Hash: 848741ff3e78f49735b3280fd57fd92d52070bf1170552d0cc4ecae70d353a94
                                            • Instruction Fuzzy Hash: F2F031F0900159FAEB20AB92DD0AECF7EB8EF14398F100171B900A1012F7B1DBD0D6A9
                                            Function 00043FE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetFilePointerEx.KERNELBASE(?,?,?,?,?,00000000,?,?,?,0005A3CE,00000000,00000000,00000000,00000000,00000000), ref: 00044000
                                            • GetLastError.KERNEL32(?,?,?,0005A3CE,00000000,00000000,00000000,00000000,00000000), ref: 0004400A
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 0004402E
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastPointer
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                            • API String ID: 2976181284-1339450348
                                            • Opcode ID: c07bcb22ba6a4cb61dd7a428693c3a5b047e428ca501703df7565d541adde882
                                            • Instruction ID: 64e73dfc2e274e06914cc813090101ddc7532be7167690b3b9b4087d04777e79
                                            • Opcode Fuzzy Hash: c07bcb22ba6a4cb61dd7a428693c3a5b047e428ca501703df7565d541adde882
                                            • Instruction Fuzzy Hash: 61F0A4B6600129BB9B208F84DD09A9E7FA8FF05791B024164FE44AB251E631DD20DBE4
                                            Function 000413CA Relevance: 4.6, APIs: 3, Instructions: 79libraryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00041409
                                            • GetLastError.KERNEL32(?,?), ref: 00041413
                                            • LoadLibraryW.KERNELBASE(?,?,00000104,?,?,?), ref: 0004147C
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: DirectoryErrorLastLibraryLoadSystem
                                            • String ID:
                                            • API String ID: 1230559179-0
                                            • Opcode ID: f7f95cf8e2d6a840a542aa352d88fb25351091e33037c98944d2d54a1c762a06
                                            • Instruction ID: 2d7f03f5fd21fc9db8b579680adbeec67c5320422366462e869acd2794de6751
                                            • Opcode Fuzzy Hash: f7f95cf8e2d6a840a542aa352d88fb25351091e33037c98944d2d54a1c762a06
                                            • Instruction Fuzzy Hash: C321B3F2D01329A7DB209B64DC49FDB77A8AF40764F5141B1BE14E7242D674ED808BA4
                                            Function 000451AE Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000000,00000000,?,00085465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,000853F9,000001C7), ref: 000451B8
                                            • RtlFreeHeap.NTDLL(00000000,?,00085465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,000853F9,000001C7,?,?), ref: 000451BF
                                            • GetLastError.KERNEL32(?,00085465,00000000,8007139F,?,00000000,00000000,8007139F,?,?,?,000853F9,000001C7,?,?), ref: 000451C9
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Heap$ErrorFreeLastProcess
                                            • String ID:
                                            • API String ID: 406640338-0
                                            • Opcode ID: 87e76de2392e6d6c1e4c0bd183f59fbadb0647fe6d8b50995c46d68599d86429
                                            • Instruction ID: a1ace76bb5fcf54100c70c3b0695ffec452503d561e953a9ab8bf372525488eb
                                            • Opcode Fuzzy Hash: 87e76de2392e6d6c1e4c0bd183f59fbadb0647fe6d8b50995c46d68599d86429
                                            • Instruction Fuzzy Hash: BCD01273901535679A2117E69C4C6977EA8FF156A37014131FD44D6111D639DC0087E5
                                            Function 00079896 Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(000799A9,?,00079890,00000000,?,?,000799A9,91776666,?,000799A9), ref: 000798A7
                                            • TerminateProcess.KERNEL32(00000000,?,00079890,00000000,?,?,000799A9,91776666,?,000799A9), ref: 000798AE
                                            • ExitProcess.KERNEL32 ref: 000798C0
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Process$CurrentExitTerminate
                                            • String ID:
                                            • API String ID: 1703294689-0
                                            • Opcode ID: e0715c7664a8cfa5d0519c6f030ecedd7c93aa703558a2dfa4564eeebdb83fe8
                                            • Instruction ID: 9b34320e413464013a968a942bcf1cd22e5de20f377bd0e47369233a9dde0ddd
                                            • Opcode Fuzzy Hash: e0715c7664a8cfa5d0519c6f030ecedd7c93aa703558a2dfa4564eeebdb83fe8
                                            • Instruction Fuzzy Hash: 02D09E31400144BFEF512F60DC0E8893F29BF413417148020B94959172DF7E99919B96
                                            Function 0004582C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,000AEBD4,00000000,?,00088E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00045840
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp, xrefs: 0004587D
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Open
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\regutil.cpp
                                            • API String ID: 71445658-90795250
                                            • Opcode ID: 7bac13ac9a83fca4e5fb3e268a0cf88b6332b067f33ce52b67c2fb4da0eb99b3
                                            • Instruction ID: 2a646e6847dad63f3ffca757fe74fff1e23b53ee5413af7e2607253050c0bb86
                                            • Opcode Fuzzy Hash: 7bac13ac9a83fca4e5fb3e268a0cf88b6332b067f33ce52b67c2fb4da0eb99b3
                                            • Instruction Fuzzy Hash: B4F02472A0066567CB7119568C04AAB7D85DB417F1F198039BD49EF222EE21CC10C7E8
                                            Function 00084630 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00084648
                                              • Part of subcall function 0006FE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0006FE97
                                              • Part of subcall function 0006FE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0006FEA8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                            • String ID: h
                                            • API String ID: 1269201914-2663389753
                                            • Opcode ID: cafa999942864efced080c5ec2062eb0d18d1c90bdbea470b79ea3a57b8d4a59
                                            • Instruction ID: 5a3bf682254a0f3027571bb125cfe8e6ee10c310003e9f631704df5630c76ca4
                                            • Opcode Fuzzy Hash: cafa999942864efced080c5ec2062eb0d18d1c90bdbea470b79ea3a57b8d4a59
                                            • Instruction Fuzzy Hash: 93B012912A9203BC35142181BC02C7B110CE3C3B21334422BB040C8043BA806D80413B
                                            Function 00084651 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00084648
                                              • Part of subcall function 0006FE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0006FE97
                                              • Part of subcall function 0006FE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0006FEA8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                            • String ID: d
                                            • API String ID: 1269201914-1529935672
                                            • Opcode ID: 962b9dfca0f6d996129c9a9394acf31b61ceea6d50ea990a866b33569ac392eb
                                            • Instruction ID: b575ea98e84052ba085fe1308f566a9f9e433491403f4d6838f4b8a9452d76e4
                                            • Opcode Fuzzy Hash: 962b9dfca0f6d996129c9a9394acf31b61ceea6d50ea990a866b33569ac392eb
                                            • Instruction Fuzzy Hash: 58B012812A9203AC31146184BD02C7B114CF3C3B11334412BB040C9043F9811D410133
                                            Function 00084661 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 00084648
                                              • Part of subcall function 0006FE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0006FE97
                                              • Part of subcall function 0006FE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0006FEA8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                            • String ID: l
                                            • API String ID: 1269201914-1799404793
                                            • Opcode ID: bd76e3d50786d832e280335e255adb44b891ab99a2f80bd329d95b7f311ec9ed
                                            • Instruction ID: 1bfba47702168e6d56d1c59b558fa3803c08396c19f8c0aa81fb30ecf3a14b83
                                            • Opcode Fuzzy Hash: bd76e3d50786d832e280335e255adb44b891ab99a2f80bd329d95b7f311ec9ed
                                            • Instruction Fuzzy Hash: B5B012812B9103AC32146184BC02C7B214CE3C3B11334812BB440C9043F9801D400133
                                            Function 0006FB44 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0006FB5C
                                              • Part of subcall function 0006FE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0006FE97
                                              • Part of subcall function 0006FE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0006FEA8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                            • String ID: |
                                            • API String ID: 1269201914-195046267
                                            • Opcode ID: 73d01ceb7871ff10e7bd4ecfdc1f2658208f20c0cc9338a0d3bbf84fd54a42ab
                                            • Instruction ID: 538cd9699219f7c9f7b0c09067bc2b921a839a26fc78e88b627db5b9857a21d0
                                            • Opcode Fuzzy Hash: 73d01ceb7871ff10e7bd4ecfdc1f2658208f20c0cc9338a0d3bbf84fd54a42ab
                                            • Instruction Fuzzy Hash: FEB012812B8043BC32245180FC12CBB220DE3C5B10330923BB501C9047A6841C081033
                                            Function 000450E9 Relevance: 3.0, APIs: 2, Instructions: 13memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                            • RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateProcess
                                            • String ID:
                                            • API String ID: 1357844191-0
                                            • Opcode ID: 32d77a6fa7fd082d2c0834969edb483fb51c3ca299bbe2d9d3a429bb09444f3e
                                            • Instruction ID: a8e8b2be761cfdd56c5f064b91c4c727f7ad89b8c87e11377d565c5391518f40
                                            • Opcode Fuzzy Hash: 32d77a6fa7fd082d2c0834969edb483fb51c3ca299bbe2d9d3a429bb09444f3e
                                            • Instruction Fuzzy Hash: AAC08C331A020CABDF006FF8EC4EC9A3BACFB68612700C410F945C7050D63CE0108B61
                                            Function 00087C1A Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                            Download Yara Rule
                                            APIs
                                            • VariantInit.OLEAUT32(?), ref: 00087C4F
                                              • Part of subcall function 000876B2: GetModuleHandleA.KERNEL32(kernel32.dll,00000000,00000000,00087C60,00000000,?,00000000), ref: 000876CC
                                              • Part of subcall function 000876B2: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,0006DB3B,?,000470CB,?,00000000,?), ref: 000876D8
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorHandleInitLastModuleVariant
                                            • String ID:
                                            • API String ID: 52713655-0
                                            • Opcode ID: 64f90004d63aa54c003833e2de4fad61033ab329ba8f3e6a84df971b570dcc49
                                            • Instruction ID: 8caf923794a476141024492bfeb94d25d5f839490ef9fb8b28f750f76e3b014c
                                            • Opcode Fuzzy Hash: 64f90004d63aa54c003833e2de4fad61033ab329ba8f3e6a84df971b570dcc49
                                            • Instruction Fuzzy Hash: 9B313876E006299BCB01DFA8C884ADEB7F8BF08710F11456AED15AB311DA75ED408BA0
                                            Function 00088EB5 Relevance: 1.6, APIs: 1, Instructions: 59registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(80070490,00000000,80070490,000AEBD4,00000000,80070490,?,?,0005A771,WiX\Burn,PackageCache,00000000,000AEBD4,00000000,00000000,80070490), ref: 00088F0F
                                              • Part of subcall function 00045967: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000001,00000000,00000000,00000000,00000000,00000000), ref: 000459DD
                                              • Part of subcall function 00045967: RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,00000000,?), ref: 00045A15
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: QueryValue$Close
                                            • String ID:
                                            • API String ID: 1979452859-0
                                            • Opcode ID: 53a7b9ec9fdf3a120d5b520fc331507bfbe3775320685397960acc9b9e2bf950
                                            • Instruction ID: 9e9108c0234fb921e2fa92b5b6fda231838873ef987c585e1fbb157a305f48e9
                                            • Opcode Fuzzy Hash: 53a7b9ec9fdf3a120d5b520fc331507bfbe3775320685397960acc9b9e2bf950
                                            • Instruction Fuzzy Hash: B8110236800126EFCF227F98C8849AEB6A6FB10364B508079FE82A3113CB324D90D7D4
                                            Function 00044F1E Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                            Download Yara Rule
                                            APIs
                                            • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,00000000,00000104,00000000,?,0005A82B,0000001C,80070490,00000000,00000000,80070490), ref: 00044F3E
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: FolderPath
                                            • String ID:
                                            • API String ID: 1514166925-0
                                            • Opcode ID: 4e92fbe36a2f258a3e2fe3a63b28a0ba647bd819109477c54d7c8b02f0566ca9
                                            • Instruction ID: 22c75021071833f1f7596e526d1f55d6b189dd02b15eb5cb53cf9241337a69aa
                                            • Opcode Fuzzy Hash: 4e92fbe36a2f258a3e2fe3a63b28a0ba647bd819109477c54d7c8b02f0566ca9
                                            • Instruction Fuzzy Hash: 68E012B23011287BFB012A619D05EEB7B5DAF15354B004075BE44D7012D665EA1057B9
                                            Function 00041C00 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileAttributesW.KERNELBASE(?,00000000,?,0004109F,?,00000000), ref: 00041C09
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AttributesFile
                                            • String ID:
                                            • API String ID: 3188754299-0
                                            • Opcode ID: 27251dce832ce1293f57dec3beee83da5fa17f54b7428d9225b8d545dfcbbb60
                                            • Instruction ID: 008d198359c491cc87ab21f9dfe18aaed016c1bacfab0db304ac4b3d26bc269f
                                            • Opcode Fuzzy Hash: 27251dce832ce1293f57dec3beee83da5fa17f54b7428d9225b8d545dfcbbb60
                                            • Instruction Fuzzy Hash: 35D02E72601124178B28AFA9EC884EABBCAEF027B03004624EC58CA2E0C3308C52C3C8
                                            Function 00087563 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                            Download Yara Rule
                                            APIs
                                            • FreeLibrary.KERNELBASE(00000000,00000000,00047234,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00087570
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: FreeLibrary
                                            • String ID:
                                            • API String ID: 3664257935-0
                                            • Opcode ID: 496115c579b4dff2ac955775171310f5cd0d979529a45aed17406fd94bb6f7b8
                                            • Instruction ID: 019f9e2b5edc70ae8707f0fd93928d395860a0a4b76b11d05ddfce05d71397cd
                                            • Opcode Fuzzy Hash: 496115c579b4dff2ac955775171310f5cd0d979529a45aed17406fd94bb6f7b8
                                            • Instruction Fuzzy Hash: 39E0FEB192DB328AE7909FD9FD545697BE8F70BE50350512BF441C2664C3B844428FD0
                                            Function 0006FB65 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0006FB5C
                                              • Part of subcall function 0006FE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0006FE97
                                              • Part of subcall function 0006FE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0006FEA8
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                            • String ID:
                                            • API String ID: 1269201914-0
                                            • Opcode ID: 77fe48337bf999c7e6c13ab1cd2f0114ec1f38f37d64793f03571863cc4bd10d
                                            • Instruction ID: 20aed97da13702720a67315fb4de85a92af9ee498e1b2ac261e52227bf7cd86f
                                            • Opcode Fuzzy Hash: 77fe48337bf999c7e6c13ab1cd2f0114ec1f38f37d64793f03571863cc4bd10d
                                            • Instruction Fuzzy Hash: 33B012812A8043AC312451D4FD12CBB154DE3C1B10330513BB001CA047E6851C091033
                                            Function 0006FB75 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                            Download Yara Rule
                                            APIs
                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0006FB5C
                                              • Part of subcall function 0006FE24: DloadReleaseSectionWriteAccess.DELAYIMP ref: 0006FE97
                                              • Part of subcall function 0006FE24: RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0006FEA8
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AccessDloadExceptionHelper2@8LoadRaiseReleaseSectionWrite___delay
                                            • String ID:
                                            • API String ID: 1269201914-0
                                            • Opcode ID: b5d44c137bf8d7fa78eabf247e59337d15e927c0d99ecdcf5bb6ac5436a69070
                                            • Instruction ID: d0ccffe2164e401d718ecf6f96d34a0eb5ab895f89388bb90fe0faa12d5e73cc
                                            • Opcode Fuzzy Hash: b5d44c137bf8d7fa78eabf247e59337d15e927c0d99ecdcf5bb6ac5436a69070
                                            • Instruction Fuzzy Hash: 93B012813A8003AD312451C4FC22CBB114DF3C1B10330553BF002CA047E6841C081133
                                            Function 00041EF9 Relevance: 1.3, APIs: 1, Instructions: 52stringCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,00000000,00000000,?,00042C85,?,?,0004149E,00000000,?,0004149E,?,?,00000104), ref: 00041F29
                                              • Part of subcall function 00045369: GetProcessHeap.KERNEL32(00000000,000001C7,?,00042CA9,000001C7,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045371
                                              • Part of subcall function 00045369: HeapSize.KERNEL32(00000000,?,00042CA9,000001C7,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045378
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Heap$ProcessSizelstrlen
                                            • String ID:
                                            • API String ID: 3492610842-0
                                            • Opcode ID: fb5dd6f0d56aab7e43663ec004aa2d273a1f460623a2811dcd3376499f81e0d6
                                            • Instruction ID: 3b0d834e9178f219b45e08dbccf34e3cc4977e3e846b9d39ae02d56c42a7d585
                                            • Opcode Fuzzy Hash: fb5dd6f0d56aab7e43663ec004aa2d273a1f460623a2811dcd3376499f81e0d6
                                            • Instruction Fuzzy Hash: FB01D476200228BBCF216E15DC44FDB7BA9AF417A0F104131FE14AB192D371EC9696A8

                                            Non-executed Functions

                                            Function 000462C2 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 140sleepshutdownCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000020,?,00000001,00000000,?,?,?,?,?,?,?), ref: 000462EB
                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000462F2
                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?), ref: 000462FC
                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0004634C
                                            • GetLastError.KERNEL32 ref: 00046356
                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000001,00000010,00000000,00000000), ref: 0004639A
                                            • GetLastError.KERNEL32 ref: 000463A4
                                            • Sleep.KERNEL32(000003E8), ref: 000463E0
                                            • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000001,80040002), ref: 000463F1
                                            • GetLastError.KERNEL32 ref: 000463FB
                                            • CloseHandle.KERNEL32(?), ref: 00046451
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSleepSystemValue
                                            • String ID: Failed to adjust token to add shutdown privileges.$Failed to get process token.$Failed to get shutdown privilege LUID.$Failed to schedule restart.$SeShutdownPrivilege$c:\agent\_work\36\s\wix\src\burn\engine\engine.cpp
                                            • API String ID: 2241679041-3077915282
                                            • Opcode ID: ecb797732f205b8f80321d75b9e36f9746e91430ed58c4d523162b18d21b3e02
                                            • Instruction ID: ba4fe22d33236dc7a9049ad3d2236b80bfc4044a65a479ebd7d0ff2e6c1d8eba
                                            • Opcode Fuzzy Hash: ecb797732f205b8f80321d75b9e36f9746e91430ed58c4d523162b18d21b3e02
                                            • Instruction Fuzzy Hash: E9415DB2D40275BBEB205BA4CC8EBBF75A8BB01B51F110534FE81FB181E6659E4047E6
                                            Function 0008506D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131threadtimeCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(000AF764,00000000,?,?,?,?,00062E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 0008509B
                                            • GetCurrentProcessId.KERNEL32(00000000,?,00062E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 000850AB
                                            • GetCurrentThreadId.KERNEL32 ref: 000850B4
                                            • GetLocalTime.KERNEL32(8007139F,?,00062E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 000850CA
                                            • LeaveCriticalSection.KERNEL32(000AF764,00062E9E,?,00000000,0000FDE9,?,00062E9E,8007139F,Invalid operation for this state.,c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp,000001C7,8007139F), ref: 000851C1
                                            Strings
                                            • %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls, xrefs: 00085167
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalCurrentSection$EnterLeaveLocalProcessThreadTime
                                            • String ID: %ls[%04X:%04X][%04hu-%02hu-%02huT%02hu:%02hu:%02hu]%hs%03d:%ls %ls%ls
                                            • API String ID: 296830338-59366893
                                            • Opcode ID: af2e16d74f541de5a5825d27d977e9f888c217edcc0303d2692dfa22d755a166
                                            • Instruction ID: cc0d2d2d4dbee78de2b7cf1ba7d5974fa6d5153d8ce567e39bd0ff91360579b1
                                            • Opcode Fuzzy Hash: af2e16d74f541de5a5825d27d977e9f888c217edcc0303d2692dfa22d755a166
                                            • Instruction Fuzzy Hash: C6418471E00A1AABEF61AFE4CC49BBE77F4FB09756F100125F981E6190D6389D80C7A1
                                            Function 0007F018 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: __floor_pentium4
                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                            • API String ID: 4168288129-2761157908
                                            • Opcode ID: cafbca3890a951e7c1686e827cdf67f4c5f21ce26e1e538b362674abff858110
                                            • Instruction ID: 76c39cfa9be63aaa739fb5aff3d6ab9d9568c52ebf85828b7cb6a34e03276be0
                                            • Opcode Fuzzy Hash: cafbca3890a951e7c1686e827cdf67f4c5f21ce26e1e538b362674abff858110
                                            • Instruction Fuzzy Hash: 14D22771E086298FDBA5DE28DC447EAB7B5FB44304F1481EAD44DE7240EB78AE858F44
                                            Function 0007C2AF Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 0007C34A
                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0007C3C5
                                            • FindClose.KERNEL32(00000000), ref: 0007C3E7
                                            • FindClose.KERNEL32(00000000), ref: 0007C40A
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Find$CloseFile$FirstNext
                                            • String ID:
                                            • API String ID: 1164774033-0
                                            • Opcode ID: 0fc7a41959622b6af8c56dc255bf21e262ece5fb9cb3a9acfbc63d544d800345
                                            • Instruction ID: 37f6b28910052d03103c1bbf506b3d5be769530311ba74b655901bd8d4f7909f
                                            • Opcode Fuzzy Hash: 0fc7a41959622b6af8c56dc255bf21e262ece5fb9cb3a9acfbc63d544d800345
                                            • Instruction Fuzzy Hash: 4441C671D00519AFEB20DF64DC88EBEB7B8EB85344F14C199E40DD7185E7389E808B58
                                            Function 0008406A Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00084065,?,?,00000008,?,?,00083C6F,00000000), ref: 00084297
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ExceptionRaise
                                            • String ID:
                                            • API String ID: 3997070919-0
                                            • Opcode ID: 5f66a783c37152315172644ad08d78bec0773003d835f4e7edd853554d48c875
                                            • Instruction ID: c6cd285629494e5a2455c2aa377322b5f95234f98bf96963093dddc669f5e17b
                                            • Opcode Fuzzy Hash: 5f66a783c37152315172644ad08d78bec0773003d835f4e7edd853554d48c875
                                            • Instruction Fuzzy Hash: BCB15D3161060ACFDB54DF28C48ABA97BE0FF55364F258658E8D9CF2A1C335EA91CB40
                                            Function 000771EE Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0
                                            • API String ID: 0-4108050209
                                            • Opcode ID: f64d4a80bf60fb39dca87710b6433a60695754f62e22d9159704f217f02f3b77
                                            • Instruction ID: f594b9ff9a55368f400fd6c73cd99047bee37ae9602b896eed2f2b169550261f
                                            • Opcode Fuzzy Hash: f64d4a80bf60fb39dca87710b6433a60695754f62e22d9159704f217f02f3b77
                                            • Instruction Fuzzy Hash: F7C1D670E08A468FCB74CF68C4906BEB7E1AF45380F14C619E85E97392C738AD46CB59
                                            Function 00072299 Relevance: .2, Instructions: 240COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                            • Instruction ID: 9a19c5dafb9d72742e933408fe26eae949e2ceff65defc99e4dab27ed8979f54
                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                            • Instruction Fuzzy Hash: DB91AA72A080E30EDB6D863E853443DFFE15B523A170A479DD8FACA1C6ED2CD654D624
                                            Function 0004A1A0 Relevance: 59.8, APIs: 5, Strings: 29, Instructions: 331COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(0004710B,?,00000000,80070490,?,?,?,?,?,?,?,?,0006DCD5,?,0004710B,?), ref: 0004A1D1
                                            • LeaveCriticalSection.KERNEL32(0004710B,?,?,?,?,?,?,?,?,0006DCD5,?,0004710B,?,0004710B,0004710B,Chain), ref: 0004A534
                                            Strings
                                            • numeric, xrefs: 0004A2E6
                                            • Hidden, xrefs: 0004A259
                                            • Initializing numeric variable '%ls' to value '%ls', xrefs: 0004A30C
                                            • Invalid value for @Type: %ls, xrefs: 0004A49B
                                            • Failed to get @Value., xrefs: 0004A4BC
                                            • Failed to get variable node count., xrefs: 0004A20B
                                            • Failed to insert variable '%ls'., xrefs: 0004A4C6
                                            • Failed to get @Type., xrefs: 0004A4AE
                                            • Initializing version variable '%ls' to value '%ls', xrefs: 0004A37D
                                            • Initializing hidden variable '%ls', xrefs: 0004A39B
                                            • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 0004A4E9
                                            • Failed to find variable value '%ls'., xrefs: 0004A502
                                            • Variable, xrefs: 0004A1DB
                                            • Failed to set variant encryption, xrefs: 0004A4CD
                                            • Type, xrefs: 0004A2CD
                                            • Failed to set variant value., xrefs: 0004A4B5
                                            • Failed to select variable nodes., xrefs: 0004A1EE
                                            • Failed to get next node., xrefs: 0004A526
                                            • string, xrefs: 0004A321
                                            • Failed to set value of variable: %ls, xrefs: 0004A4D7
                                            • version, xrefs: 0004A356
                                            • Failed to get @Hidden., xrefs: 0004A518
                                            • Attempt to set built-in variable value: %ls, xrefs: 0004A4F8
                                            • Initializing string variable '%ls' to value '%ls', xrefs: 0004A344
                                            • Failed to get @Id., xrefs: 0004A51F
                                            • Failed to get @Persisted., xrefs: 0004A511
                                            • Value, xrefs: 0004A28F
                                            • Persisted, xrefs: 0004A274
                                            • Failed to change variant type., xrefs: 0004A50A
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Attempt to set built-in variable value: %ls$Failed to change variant type.$Failed to find variable value '%ls'.$Failed to get @Hidden.$Failed to get @Id.$Failed to get @Persisted.$Failed to get @Type.$Failed to get @Value.$Failed to get next node.$Failed to get variable node count.$Failed to insert variable '%ls'.$Failed to select variable nodes.$Failed to set value of variable: %ls$Failed to set variant encryption$Failed to set variant value.$Hidden$Initializing hidden variable '%ls'$Initializing numeric variable '%ls' to value '%ls'$Initializing string variable '%ls' to value '%ls'$Initializing version variable '%ls' to value '%ls'$Invalid value for @Type: %ls$Persisted$Type$Value$Variable$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp$numeric$string$version
                                            • API String ID: 3168844106-3004887034
                                            • Opcode ID: 69d6ae70e11a07f44cd19e3852b2a726134fb6ca26c6d342f97654ca1cbbfc24
                                            • Instruction ID: 284d1fa50a43aadec39f53cfc80ca613ec016c9bd5b36d4c86d9b4ac0a149b5c
                                            • Opcode Fuzzy Hash: 69d6ae70e11a07f44cd19e3852b2a726134fb6ca26c6d342f97654ca1cbbfc24
                                            • Instruction Fuzzy Hash: 24B118B2E80625FBCF21AB94CC45EEEBBB5BF45710F104170FA54BA192D7708A40DB96
                                            Function 00057195 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 228filepipesleepCOMMON
                                            Download Yara Rule
                                            APIs
                                            • lstrlenW.KERNEL32(?,?,00000000,?,?,00000000,75C0B390,?,00046205,?,0008E500), ref: 000571B6
                                            • GetCurrentProcessId.KERNEL32(?,00046205,?,0008E500), ref: 000571C1
                                            • SetNamedPipeHandleState.KERNEL32(?,000000FF,00000000,00000000,?,00046205,?,0008E500), ref: 000571F8
                                            • ConnectNamedPipe.KERNEL32(?,00000000,?,00046205,?,0008E500), ref: 0005720D
                                            • GetLastError.KERNEL32(?,00046205,?,0008E500), ref: 00057217
                                            • Sleep.KERNEL32(00000064,?,00046205,?,0008E500), ref: 0005724C
                                            • SetNamedPipeHandleState.KERNEL32(?,00000000,00000000,00000000,?,00046205,?,0008E500), ref: 0005726F
                                            • WriteFile.KERNEL32(?,crypt32.dll,00000004,00000000,00000000,?,00046205,?,0008E500), ref: 0005728A
                                            • WriteFile.KERNEL32(?,00046205,0008E500,00000000,00000000,?,00046205,?,0008E500), ref: 000572A5
                                            • WriteFile.KERNEL32(?,?,00000004,00000000,00000000,?,00046205,?,0008E500), ref: 000572C0
                                            • ReadFile.KERNEL32(?,00000000,00000004,00000000,00000000,?,00046205,?,0008E500), ref: 000572DB
                                            • GetLastError.KERNEL32(?,00046205,?,0008E500), ref: 00057336
                                            • GetLastError.KERNEL32(?,00046205,?,0008E500), ref: 0005736A
                                            • GetLastError.KERNEL32(?,00046205,?,0008E500), ref: 0005739E
                                            • GetLastError.KERNEL32(?,00046205,?,0008E500), ref: 000573D2
                                            • GetLastError.KERNEL32(?,00046205,?,0008E500), ref: 00057403
                                            • GetLastError.KERNEL32(?,00046205,?,0008E500), ref: 00057434
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$File$NamedPipeWrite$HandleState$ConnectCurrentProcessReadSleeplstrlen
                                            • String ID: Failed to read ACK from pipe.$Failed to reset pipe to blocking.$Failed to set pipe to non-blocking.$Failed to wait for child to connect to pipe.$Failed to write our process id to pipe.$Failed to write secret length to pipe.$Failed to write secret to pipe.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$crypt32.dll
                                            • API String ID: 2944378912-1623437160
                                            • Opcode ID: 97488ef44e6ff8fc4fa71cbf37515536dc04dd7f6d38391910101ff92ab9e9b9
                                            • Instruction ID: c9284ed22d6a6fdcbc0b56811006c25d517d857866b726852de024e9d477b439
                                            • Opcode Fuzzy Hash: 97488ef44e6ff8fc4fa71cbf37515536dc04dd7f6d38391910101ff92ab9e9b9
                                            • Instruction Fuzzy Hash: DE612C73D482356BEB209A959C49B9F79E86F00722F110121FE08FB181D774DE44ABE5
                                            Function 0004C111 Relevance: 44.1, APIs: 8, Strings: 17, Instructions: 311registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0004C155
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0004C17D
                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,?,?,?,?,?), ref: 0004C47C
                                            Strings
                                            • Failed to format key string., xrefs: 0004C162
                                            • Failed to format value string., xrefs: 0004C18A
                                            • Failed to clear variable., xrefs: 0004C1DB
                                            • Failed to query registry key value size., xrefs: 0004C259
                                            • Failed to allocate memory registry value., xrefs: 0004C28C
                                            • Failed to open registry key., xrefs: 0004C1F0
                                            • Failed to allocate string buffer., xrefs: 0004C370
                                            • Unsupported registry key value type. Type = '%u', xrefs: 0004C30F
                                            • RegistrySearchValue failed: ID '%ls', HRESULT 0x%x, xrefs: 0004C454
                                            • Failed to read registry value., xrefs: 0004C405
                                            • Failed to get expand environment string., xrefs: 0004C3EA
                                            • Registry key not found. Key = '%ls', xrefs: 0004C1B5
                                            • c:\agent\_work\36\s\wix\src\burn\engine\search.cpp, xrefs: 0004C24D, 0004C282, 0004C2D5, 0004C3DE
                                            • Failed to query registry key value., xrefs: 0004C2E1
                                            • Registry value not found. Key = '%ls', Value = '%ls', xrefs: 0004C21F
                                            • Failed to set variable., xrefs: 0004C43E
                                            • Failed to change value type., xrefs: 0004C420, 0004C443
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Open@16$Close
                                            • String ID: Failed to allocate memory registry value.$Failed to allocate string buffer.$Failed to change value type.$Failed to clear variable.$Failed to format key string.$Failed to format value string.$Failed to get expand environment string.$Failed to open registry key.$Failed to query registry key value size.$Failed to query registry key value.$Failed to read registry value.$Failed to set variable.$Registry key not found. Key = '%ls'$Registry value not found. Key = '%ls', Value = '%ls'$RegistrySearchValue failed: ID '%ls', HRESULT 0x%x$Unsupported registry key value type. Type = '%u'$c:\agent\_work\36\s\wix\src\burn\engine\search.cpp
                                            • API String ID: 2348241696-1030985318
                                            • Opcode ID: 0e1af4c69e2c941158843bde39121a12800243e505ac05dfe11c20f17307154f
                                            • Instruction ID: 8cc03579742856b47a8b29212da8639ddb8d728af1c640ec2e15035671087b2f
                                            • Opcode Fuzzy Hash: 0e1af4c69e2c941158843bde39121a12800243e505ac05dfe11c20f17307154f
                                            • Instruction Fuzzy Hash: 24A1F7F2E02125BBEF629AA8CD05FEE7AA9AF04710F108131F901BA251D7759E0097D8
                                            Function 000563A0 Relevance: 36.9, APIs: 10, Strings: 11, Instructions: 184fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcessId.KERNEL32(?,8000FFFF,feclient.dll,?,000568B3,0008E4E8,?,feclient.dll,00000000,?,?), ref: 000563B7
                                            • ReadFile.KERNEL32(feclient.dll,feclient.dll,00000004,?,00000000,?,000568B3,0008E4E8,?,feclient.dll,00000000,?,?), ref: 000563D8
                                            • GetLastError.KERNEL32(?,000568B3,0008E4E8,?,feclient.dll,00000000,?,?), ref: 000563DE
                                            • ReadFile.KERNEL32(feclient.dll,00000000,0008E518,?,00000000,00000000,0008E519,?,000568B3,0008E4E8,?,feclient.dll,00000000,?,?), ref: 0005646C
                                            • GetLastError.KERNEL32(?,000568B3,0008E4E8,?,feclient.dll,00000000,?,?), ref: 00056472
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastRead$CurrentProcess
                                            • String ID: Failed to allocate buffer for verification secret.$Failed to inform parent process that child is running.$Failed to read size of verification secret from parent pipe.$Failed to read verification process id from parent pipe.$Failed to read verification secret from parent pipe.$Verification process id from parent does not match.$Verification secret from parent does not match.$Verification secret from parent is too big.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$feclient.dll$msasn1.dll
                                            • API String ID: 1233551569-2778284747
                                            • Opcode ID: 06ba547bbfe50596064a4e759cbeb48c828387229b73908d2a90a56e6423a995
                                            • Instruction ID: bb683d6894eca7b083c81a20cc5f8a4ba4d278c5620befe1d7efb02bb782b02c
                                            • Opcode Fuzzy Hash: 06ba547bbfe50596064a4e759cbeb48c828387229b73908d2a90a56e6423a995
                                            • Instruction Fuzzy Hash: AF513773984625B7EB219A94CD45FAFB6A8AF00B11F510165FE00BB281E675DE00DBE1
                                            Function 00060050 Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 145registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0005FF39: LoadBitmapW.USER32(?,00000001), ref: 0005FF6F
                                              • Part of subcall function 0005FF39: GetLastError.KERNEL32 ref: 0005FF7B
                                            • LoadCursorW.USER32(00000000,00007F00), ref: 000600B1
                                            • RegisterClassW.USER32(?), ref: 000600C5
                                            • GetLastError.KERNEL32 ref: 000600D0
                                            • UnregisterClassW.USER32(WixBurnSplashScreen,?), ref: 000601D5
                                            • DeleteObject.GDI32(00000000), ref: 000601E4
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ClassErrorLastLoad$BitmapCursorDeleteObjectRegisterUnregister
                                            • String ID: Failed to create window.$Failed to load splash screen.$Failed to register window.$Unexpected return value from message pump.$WixBurnSplashScreen$c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp
                                            • API String ID: 164797020-2801829539
                                            • Opcode ID: 6c4f106858f64655c639095b24d34cb300d667eaacb5985c2edd7985c4f89370
                                            • Instruction ID: 293414fb92c9cb67eeaedcec9dd2e4c436968a430d943e4cf4a13798e3dea035
                                            • Opcode Fuzzy Hash: 6c4f106858f64655c639095b24d34cb300d667eaacb5985c2edd7985c4f89370
                                            • Instruction Fuzzy Hash: 0641C27298062ABFEB119BE4DD49EAFBBB9FF05311F100121FA41EA190D7749E008B91
                                            Function 00051263 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 151registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000,00000000,000521B0,InstallerVersion,InstallerVersion,00000000,000521B0,InstallerName,InstallerName,00000000,000521B0,Date,InstalledDate,00000000,000521B0,LogonUser), ref: 00051411
                                              • Part of subcall function 00045D90: RegSetValueExW.ADVAPI32(00020006,00094178,00000000,00000001,?,00000000,?,000000FF,00000000,00000000,?,?,00051017,00000000,?,00020006), ref: 00045DC3
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseValue
                                            • String ID: Date$Failed to create the key for update registration.$Failed to get the formatted key path for update registration.$Failed to write %ls value.$InstalledBy$InstalledDate$InstallerName$InstallerVersion$LogonUser$PackageName$PackageVersion$Publisher$PublishingGroup$ReleaseType$ThisVersionInstalled
                                            • API String ID: 3132538880-2703781546
                                            • Opcode ID: 4e12f16a87d0394428163ef8f58420339d3f9b653ae810fbbddae6902db84e7c
                                            • Instruction ID: 91b01154d20b23fb9a775d49c22a3e70e327ac1fcc96aefbbedb38af9506c994
                                            • Opcode Fuzzy Hash: 4e12f16a87d0394428163ef8f58420339d3f9b653ae810fbbddae6902db84e7c
                                            • Instruction Fuzzy Hash: EB41AF72E40E22B7CF236651CC26FEF7A65AF10B13F120160FD01BA652C7A19F15A790
                                            Function 0006E285 Relevance: 26.5, APIs: 1, Strings: 14, Instructions: 271COMMON
                                            Download Yara Rule
                                            Strings
                                            • Failed to copy cache id for passthrough pseudo bundle., xrefs: 0006E516
                                            • Failed to copy uninstall arguments for passthrough bundle package, xrefs: 0006E5BD
                                            • Failed to allocate space for burn package payload inside of passthrough bundle., xrefs: 0006E2C5
                                            • Failed to copy download source for passthrough pseudo bundle., xrefs: 0006E4A0
                                            • Failed to copy filename for passthrough pseudo bundle., xrefs: 0006E4CF
                                            • Failed to copy related arguments for passthrough bundle package, xrefs: 0006E593
                                            • Failed to allocate memory for pseudo bundle payload hash., xrefs: 0006E4BE
                                            • Failed to allocate space for burn payload inside of related bundle struct, xrefs: 0006E4F8
                                            • Failed to copy key for passthrough pseudo bundle., xrefs: 0006E499
                                            • c:\agent\_work\36\s\wix\src\burn\engine\pseudobundle.cpp, xrefs: 0006E2B9, 0006E4B2, 0006E4EC
                                            • Failed to copy key for passthrough pseudo bundle payload., xrefs: 0006E4D6
                                            • Failed to recreate command-line arguments., xrefs: 0006E554
                                            • Failed to copy install arguments for passthrough bundle package, xrefs: 0006E573
                                            • Failed to copy local source path for passthrough pseudo bundle., xrefs: 0006E4C8
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Heap$AllocateProcess
                                            • String ID: Failed to allocate memory for pseudo bundle payload hash.$Failed to allocate space for burn package payload inside of passthrough bundle.$Failed to allocate space for burn payload inside of related bundle struct$Failed to copy cache id for passthrough pseudo bundle.$Failed to copy download source for passthrough pseudo bundle.$Failed to copy filename for passthrough pseudo bundle.$Failed to copy install arguments for passthrough bundle package$Failed to copy key for passthrough pseudo bundle payload.$Failed to copy key for passthrough pseudo bundle.$Failed to copy local source path for passthrough pseudo bundle.$Failed to copy related arguments for passthrough bundle package$Failed to copy uninstall arguments for passthrough bundle package$Failed to recreate command-line arguments.$c:\agent\_work\36\s\wix\src\burn\engine\pseudobundle.cpp
                                            • API String ID: 1357844191-1162945257
                                            • Opcode ID: 720428d0eeb1ce4f00463d329669cb4fa82aea37e543582d83f98f35db41f5e9
                                            • Instruction ID: c06a997ac608869bbf9a5d9200bf2a64fcceb28ae83c449144284b80d4e56da0
                                            • Opcode Fuzzy Hash: 720428d0eeb1ce4f00463d329669cb4fa82aea37e543582d83f98f35db41f5e9
                                            • Instruction Fuzzy Hash: 06B15779A00656EFCB61CF68C881F99BBA2BF08710F118169FD159F362DB71E910DB90
                                            Function 000482B9 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 117COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(00000000), ref: 000482F5
                                              • Part of subcall function 00085CD2: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00047B69,00000000), ref: 00085CE7
                                              • Part of subcall function 00085CD2: GetProcAddress.KERNEL32(00000000), ref: 00085CEE
                                              • Part of subcall function 00085CD2: GetLastError.KERNEL32(?,?,?,?,00047B69,00000000), ref: 00085D09
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00048321
                                            • GetLastError.KERNEL32 ref: 0004832F
                                            • GetSystemWow64DirectoryW.KERNEL32(?,00000104,00000000), ref: 00048367
                                            • GetLastError.KERNEL32 ref: 00048371
                                            • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 000483B4
                                            • GetLastError.KERNEL32 ref: 000483BE
                                            Strings
                                            • Failed to get 32-bit system folder., xrefs: 0004839F
                                            • Failed to backslash terminate system folder., xrefs: 00048401
                                            • Failed to set system folder variant value., xrefs: 0004841D
                                            • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 00048353, 00048395
                                            • Failed to get 64-bit system folder., xrefs: 0004835D
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$DirectorySystem$AddressCurrentHandleModuleProcProcessWow64
                                            • String ID: Failed to backslash terminate system folder.$Failed to get 32-bit system folder.$Failed to get 64-bit system folder.$Failed to set system folder variant value.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp
                                            • API String ID: 325818893-1386230865
                                            • Opcode ID: ad551470e38ef5879a98b98872a74497a7344d4ac1217a7f2793d6beda6cb87b
                                            • Instruction ID: 888dacb9c52b4c695911159227ea1ff82625ccc317cbb09a3de1171e76954d2a
                                            • Opcode Fuzzy Hash: ad551470e38ef5879a98b98872a74497a7344d4ac1217a7f2793d6beda6cb87b
                                            • Instruction Fuzzy Hash: DE3128B2D41635A7DB305B50CC4DBDE76A86F00B52F018571BD44FB181EB789E408BE9
                                            Function 0005B2FA Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 102fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,80000000,00000005,00000000,00000003,08000000,00000000,?,00000000,?,0005C4D3,?,00000000,00000000,00000000,?), ref: 0005B315
                                            • GetLastError.KERNEL32(?,0005C4D3,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0005B323
                                              • Part of subcall function 000437ED: Sleep.KERNEL32(?,00000000,?,0005A24E,?,?,00000001,00000003,000007D0,?,?,?,?,?,?,00046A86), ref: 00043804
                                            • CloseHandle.KERNEL32(00000000,?,00000001,00000003,000007D0,00000000,00000000), ref: 0005B401
                                            Strings
                                            • Failed to copy %ls to %ls, xrefs: 0005B3EF
                                            • Failed to verify container hash: %ls, xrefs: 0005B384
                                            • Copying, xrefs: 0005B3A0, 0005B3AB
                                            • %ls container from working path '%ls' to path '%ls', xrefs: 0005B3AC
                                            • Failed to move %ls to %ls, xrefs: 0005B3D9
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp, xrefs: 0005B347
                                            • Failed to open container in working path: %ls, xrefs: 0005B352
                                            • Moving, xrefs: 0005B397
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorFileHandleLastSleep
                                            • String ID: %ls container from working path '%ls' to path '%ls'$Copying$Failed to copy %ls to %ls$Failed to move %ls to %ls$Failed to open container in working path: %ls$Failed to verify container hash: %ls$Moving$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                            • API String ID: 1275171361-3235902153
                                            • Opcode ID: d866bbacdaa62359a32127b55d3633e0da083fd504e242e0bb01b84cdeb6b83b
                                            • Instruction ID: fea3370fa916a6ee82d9b49fb56881587a51f02cf3bd0c798ac5a08b59f9d39e
                                            • Opcode Fuzzy Hash: d866bbacdaa62359a32127b55d3633e0da083fd504e242e0bb01b84cdeb6b83b
                                            • Instruction Fuzzy Hash: 06212872B406757BD7322A148C47F6F355CEF41B62F110014FE007E2C2D796AE1196E6
                                            Function 0008A375 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 164COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(0000007F,00000000,?,000000FF,label,000000FF,?,?,?,74DEDFD0,?,0008A8E7,?,?), ref: 0008A3CB
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008A436
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008A4AE
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008A4ED
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: String$Free$Compare
                                            • String ID: `<u$label$scheme$term
                                            • API String ID: 1324494773-4028212031
                                            • Opcode ID: 260b6ddb0bcfbefec64f29336677f07aee7a3631a92daf4144dfce8bb1ea9523
                                            • Instruction ID: 3bb280cd361851868efdc504dbdcde2b3552833ae017d81ac7c979374150c785
                                            • Opcode Fuzzy Hash: 260b6ddb0bcfbefec64f29336677f07aee7a3631a92daf4144dfce8bb1ea9523
                                            • Instruction Fuzzy Hash: 5C518D31A01219EBEF21EB94C848FAEBBB4BF06720F2042A6F551A71A1D775DE40DB51
                                            Function 000602CB Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 96threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,00000000,?,?,00047154,?,?), ref: 000602EC
                                            • GetLastError.KERNEL32(?,?,00047154,?,?), ref: 000602F9
                                            • CreateThread.KERNEL32(00000000,00000000,00060050,00000000,00000000,00000000), ref: 00060358
                                            • GetLastError.KERNEL32(?,?,00047154,?,?), ref: 00060365
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00047154,?,?), ref: 000603A0
                                            • CloseHandle.KERNEL32(?,?,?,00047154,?,?), ref: 000603B4
                                            • CloseHandle.KERNEL32(?,?,?,00047154,?,?), ref: 000603C1
                                            Strings
                                            • Failed to create UI thread., xrefs: 00060390
                                            • c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp, xrefs: 0006031A, 00060386
                                            • Failed to create modal event., xrefs: 00060324
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseCreateErrorHandleLast$EventMultipleObjectsThreadWait
                                            • String ID: Failed to create UI thread.$Failed to create modal event.$c:\agent\_work\36\s\wix\src\burn\engine\splashscreen.cpp
                                            • API String ID: 2351989216-2652401288
                                            • Opcode ID: 1a2c79ea4dd5de95fc3a4fd095941aa8301c1900a1effa0ddad2298e942d3888
                                            • Instruction ID: c375790dbc728290ef5ebd44081e64882a5f6cec2b5cfe40d7ef4fe164eb1441
                                            • Opcode Fuzzy Hash: 1a2c79ea4dd5de95fc3a4fd095941aa8301c1900a1effa0ddad2298e942d3888
                                            • Instruction Fuzzy Hash: 90319176D40229BBEB219F99CC45A9FBBB8AB84711F104166FD40F7250E6749B00CBE1
                                            Function 000630B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 87threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,74DF2F60,?,?), ref: 000630D4
                                            • GetLastError.KERNEL32 ref: 000630E7
                                            • GetExitCodeThread.KERNEL32(0008E488,00000000), ref: 00063129
                                            • GetLastError.KERNEL32 ref: 00063137
                                            • ResetEvent.KERNEL32(0008E460), ref: 00063172
                                            • GetLastError.KERNEL32 ref: 0006317C
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 0006310E, 0006315E, 000631A3
                                            • Failed to wait for operation complete event., xrefs: 00063118
                                            • Failed to reset operation complete event., xrefs: 000631AD
                                            • Failed to get extraction thread exit code., xrefs: 00063168
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast$CodeEventExitMultipleObjectsResetThreadWait
                                            • String ID: Failed to get extraction thread exit code.$Failed to reset operation complete event.$Failed to wait for operation complete event.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 2979751695-296692858
                                            • Opcode ID: f1e0e1465aec9a0517bfef6b015b39d7d6cad9821236b755ff4178bd29d28b9c
                                            • Instruction ID: dce8c10b9f17a9ae4fb6a30ea6270b7c4597bb5b0802ab86d76ea8223d11251b
                                            • Opcode Fuzzy Hash: f1e0e1465aec9a0517bfef6b015b39d7d6cad9821236b755ff4178bd29d28b9c
                                            • Instruction Fuzzy Hash: 0A319E70A40245FBEB10DFA5CE06BAE76F9BB01701F104169F945EE1A0E779DF409BA1
                                            Function 000631CA Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(0008E478,?,00000000,?,0004DED5,?,00047083,00000000,?,0005948E,?,00047333,0004713F,0004713F,00000000,?), ref: 000631E7
                                            • GetLastError.KERNEL32(?,0004DED5,?,00047083,00000000,?,0005948E,?,00047333,0004713F,0004713F,00000000,?,0004714F,FFF9E89D,0004714F), ref: 000631F1
                                            • WaitForSingleObject.KERNEL32(0008E488,000000FF,?,0004DED5,?,00047083,00000000,?,0005948E,?,00047333,0004713F,0004713F,00000000,?,0004714F), ref: 0006322B
                                            • GetLastError.KERNEL32(?,0004DED5,?,00047083,00000000,?,0005948E,?,00047333,0004713F,0004713F,00000000,?,0004714F,FFF9E89D,0004714F), ref: 00063235
                                            • CloseHandle.KERNEL32(00000000,0004714F,?,00000000,?,0004DED5,?,00047083,00000000,?,0005948E,?,00047333,0004713F,0004713F,00000000), ref: 00063280
                                            • CloseHandle.KERNEL32(00000000,0004714F,?,00000000,?,0004DED5,?,00047083,00000000,?,0005948E,?,00047333,0004713F,0004713F,00000000), ref: 0006328F
                                            • CloseHandle.KERNEL32(00000000,0004714F,?,00000000,?,0004DED5,?,00047083,00000000,?,0005948E,?,00047333,0004713F,0004713F,00000000), ref: 0006329E
                                            Strings
                                            • Failed to set begin operation event., xrefs: 0006321F
                                            • Failed to wait for thread to terminate., xrefs: 00063263
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 00063215, 00063259
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseHandle$ErrorLast$EventObjectSingleWait
                                            • String ID: Failed to set begin operation event.$Failed to wait for thread to terminate.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 1206859064-754580096
                                            • Opcode ID: c536a2bbc932e9c9c5a357a5d5d02c77332d39a0b0dae24da4ae8725697c0cba
                                            • Instruction ID: aa8af0e72ed668d4fdd5f3fa099f10935a34de1e9e6edd880b3abf08cbdf7c03
                                            • Opcode Fuzzy Hash: c536a2bbc932e9c9c5a357a5d5d02c77332d39a0b0dae24da4ae8725697c0cba
                                            • Instruction Fuzzy Hash: 27212433900A33B7EB215B65DC49746BAE1BF04722F010324E948659A0D7B8EDA0CAD8
                                            Function 0005B04A Relevance: 16.7, APIs: 2, Strings: 9, Instructions: 232COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,?,00000000,00000000,00000003,00000000,00000000), ref: 0005B0FD
                                            • GetLastError.KERNEL32(000007D0,000007D0,00000000,00000000,000007D0,00000001), ref: 0005B125
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLast
                                            • String ID: $$0$Could not close verify handle.$Could not verify file %ls.$Failed to allocate memory$Failed to allocate string.$Failed to encode file hash.$Failed to get file hash.$c:\agent\_work\36\s\wix\src\burn\engine\cache.cpp
                                            • API String ID: 1452528299-3709293557
                                            • Opcode ID: 7ef0022de942baa34692fba9ad2761e59ec43e87a63460b293721d6fb6a33b8b
                                            • Instruction ID: 3f5bf6be3158978626b82bd168b864fac8f5c13388209a511b15bc09bcdb743c
                                            • Opcode Fuzzy Hash: 7ef0022de942baa34692fba9ad2761e59ec43e87a63460b293721d6fb6a33b8b
                                            • Instruction Fuzzy Hash: 69818272D00629ABDB61DB94CC41BEFB7F4BF08711F114125ED14BB291E774AD448BA4
                                            Function 000601F2 Relevance: 16.6, APIs: 11, Instructions: 86windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetWindowLongW.USER32(?,000000EB), ref: 000601FD
                                            • DefWindowProcW.USER32(?,00000082,?,?), ref: 0006023B
                                            • SetWindowLongW.USER32(?,000000EB,00000000), ref: 00060248
                                            • SetWindowLongW.USER32(?,000000EB,?), ref: 00060257
                                            • DefWindowProcW.USER32(?,?,?,?), ref: 00060265
                                            • CreateCompatibleDC.GDI32(?), ref: 00060271
                                            • SelectObject.GDI32(00000000,00000000), ref: 00060282
                                            • StretchBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 000602A4
                                            • SelectObject.GDI32(00000000,00000000), ref: 000602AC
                                            • DeleteDC.GDI32(00000000), ref: 000602AF
                                            • PostQuitMessage.USER32(00000000), ref: 000602BD
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Window$Long$ObjectProcSelect$CompatibleCreateDeleteMessagePostQuitStretch
                                            • String ID:
                                            • API String ID: 409979828-0
                                            • Opcode ID: 1fceb157ed20509e9586ae8f485a4dc8db069d6fe592ef6639e95ea7a3a47054
                                            • Instruction ID: f5694fb947a1db0071f42a07b88691e344eb7f803871b3355d2c1c0fcc09ff67
                                            • Opcode Fuzzy Hash: 1fceb157ed20509e9586ae8f485a4dc8db069d6fe592ef6639e95ea7a3a47054
                                            • Instruction Fuzzy Hash: 9B219A32140215BFEB655F68DC1CE7B3FAAFF49320B114A28F642961A0D2758C50EB60
                                            Function 0008A250 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 113COMMON
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,name,000000FF,00000000,00000000,00000000,?,74DEDFD0), ref: 0008A2AF
                                            • CompareStringW.KERNEL32(0000007F,00000000,00000000,000000FF,email,000000FF), ref: 0008A2CC
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008A30A
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008A34E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: String$CompareFree
                                            • String ID: `<u$email$name$uri
                                            • API String ID: 3589242889-1197142144
                                            • Opcode ID: 52f04861bed8246235b89dd537cfd8e356cb83c4d99dc985494cad50e5fd8269
                                            • Instruction ID: 478c3723d420abc8d2f82abcf7a8e5058b84caec4cf8519aa16940ceb99489e8
                                            • Opcode Fuzzy Hash: 52f04861bed8246235b89dd537cfd8e356cb83c4d99dc985494cad50e5fd8269
                                            • Instruction Fuzzy Hash: 2D415B31A01219BBEF21AB94CC44FADB7B4BB06721F2442A5F560AA1D1CB359E00DB51
                                            Function 00051131 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 108stringCOMMON
                                            Download Yara Rule
                                            APIs
                                            • _MREFOpen@16.MSPDB140-MSVCRT ref: 0005116A
                                              • Part of subcall function 00041B27: CreateDirectoryW.KERNELBASE(00000000,00047083,00000000,00000000,?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041B35
                                              • Part of subcall function 00041B27: GetLastError.KERNEL32(?,0005BDBF,00000000,00000000,?,00000000,840F01E8,00047083,00000000,0004714F,840F01E8), ref: 00041B43
                                            • lstrlenA.KERNEL32(002E0032,00000000,00000094,00000000,00000094,crypt32.dll,crypt32.dll,00052190,swidtag,00000094,0008E500,00330074,00052190,00000000,crypt32.dll,00000000), ref: 000511BD
                                              • Part of subcall function 00044483: CreateFileW.KERNEL32(002E0032,40000000,00000001,00000000,00000002,00000080,00000000,00052190,00000000,?,000511D4,0008E500,00000080,002E0032,00000000), ref: 0004449B
                                              • Part of subcall function 00044483: GetLastError.KERNEL32(?,000511D4,0008E500,00000080,002E0032,00000000,?,00052190,crypt32.dll,00000094,?,?,?,?,?,00000000), ref: 000444A8
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CreateErrorLast$DirectoryFileOpen@16lstrlen
                                            • String ID: Failed to allocate regid file path.$Failed to allocate regid folder path.$Failed to create regid folder: %ls$Failed to format tag folder path.$Failed to write tag xml to file: %ls$crypt32.dll$swidtag
                                            • API String ID: 904508749-2959304021
                                            • Opcode ID: 15a457737cbdb9115b73c7f93aab390e6d6c4e3ec1c9ab089ac47e29cc03053b
                                            • Instruction ID: c48b66731ab7b02653b0708fc1f18c0f317f1db8ed02fa38147d157f6159f16f
                                            • Opcode Fuzzy Hash: 15a457737cbdb9115b73c7f93aab390e6d6c4e3ec1c9ab089ac47e29cc03053b
                                            • Instruction Fuzzy Hash: A231B071D00624BBDF12AB94CC81BDEBBB5AF04712F108161FE10EA251D7719A649B94
                                            Function 000612A0 Relevance: 15.2, APIs: 2, Strings: 8, Instructions: 154COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 000612B5
                                            • LeaveCriticalSection.KERNEL32(?), ref: 00061430
                                            Strings
                                            • Failed to set download password., xrefs: 000613DE
                                            • Failed to set download user., xrefs: 000613B8
                                            • UX requested unknown container with id: %ls, xrefs: 0006135A
                                            • UX requested unknown payload with id: %ls, xrefs: 0006130A
                                            • UX did not provide container or payload id., xrefs: 0006141F
                                            • Engine is active, cannot change engine state., xrefs: 000612CF
                                            • Failed to set download URL., xrefs: 0006138F
                                            • UX denied while trying to set download URL on embedded payload: %ls, xrefs: 00061320
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Engine is active, cannot change engine state.$Failed to set download URL.$Failed to set download password.$Failed to set download user.$UX denied while trying to set download URL on embedded payload: %ls$UX did not provide container or payload id.$UX requested unknown container with id: %ls$UX requested unknown payload with id: %ls
                                            • API String ID: 3168844106-2615595102
                                            • Opcode ID: 9af5e0b1fbebd4594e63b448ecef7c3c8fb4d2a0fd4e493ae67240710098fb43
                                            • Instruction ID: ba029269265b5ec6000876ec430a9618acdc8567959abf77529b8136504172c8
                                            • Opcode Fuzzy Hash: 9af5e0b1fbebd4594e63b448ecef7c3c8fb4d2a0fd4e493ae67240710098fb43
                                            • Instruction Fuzzy Hash: F841F972A00622ABDB61AB24C845AEE73EAFF00711F1D4126F805EB691EB70DE50C795
                                            Function 0008909D Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 195filememoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(000000FF,C0000000,00000004,00000000,00000004,00000080,00000000,00000000,00000000,00000000,00000078,00000410,000000FF,?,00000000,00000000), ref: 000890DA
                                            • GetLastError.KERNEL32 ref: 000890E8
                                            • VirtualAlloc.KERNEL32(00000000,00010000,00003000,00000004), ref: 00089129
                                            • GetLastError.KERNEL32 ref: 00089136
                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 000892A9
                                            • CloseHandle.KERNEL32(?), ref: 000892B8
                                            Strings
                                            • GET, xrefs: 000891DD
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp, xrefs: 0008910C
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLastVirtual$AllocCloseCreateFileFreeHandle
                                            • String ID: GET$c:\agent\_work\36\s\wix\src\libs\dutil\dlutil.cpp
                                            • API String ID: 2028584396-3792313763
                                            • Opcode ID: 4852b9024dc4ee3e4f79ef13a9d6ac7b80db7b6e9a407c5629199215c4339fa5
                                            • Instruction ID: 50c7f064e0efb920aa965b3bd1b6568961a22a9b26923a17c75adf1c82b6eb04
                                            • Opcode Fuzzy Hash: 4852b9024dc4ee3e4f79ef13a9d6ac7b80db7b6e9a407c5629199215c4339fa5
                                            • Instruction Fuzzy Hash: B5615A72A0021AABDF61EFA4CC89BFE7BB8BB48750F190129FD45B7250D77499408B90
                                            Function 0005709D Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90synchronizationCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WaitForSingleObject.KERNEL32(?,0002BF20,?,F0000003,00000000,00000000,?,00000000,00000000,00000000,00047154,00000000,00000000,?,00000000), ref: 00057146
                                            • GetLastError.KERNEL32(?,?,?,0004692F,?,?,00000000,?,?,?,?,?,?,0008E4A0,?,?), ref: 00057151
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp, xrefs: 00057175
                                            • Failed to wait for child process exit., xrefs: 0005717F
                                            • Failed to write restart to message buffer., xrefs: 000570E9
                                            • Failed to post terminate message to child process., xrefs: 00057131
                                            • Failed to write exit code to message buffer., xrefs: 000570C1
                                            • Failed to post terminate message to child process cache thread., xrefs: 00057115
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLastObjectSingleWait
                                            • String ID: Failed to post terminate message to child process cache thread.$Failed to post terminate message to child process.$Failed to wait for child process exit.$Failed to write exit code to message buffer.$Failed to write restart to message buffer.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp
                                            • API String ID: 1211598281-2003247018
                                            • Opcode ID: a8eb1962de48b7983bfe02c4fa476004ec49a9b5c80331368e98a6940549d252
                                            • Instruction ID: 1281ea2c4a4c276bef77aab9f93dd7b082d51f7865669e09d2d33fc2348b82b0
                                            • Opcode Fuzzy Hash: a8eb1962de48b7983bfe02c4fa476004ec49a9b5c80331368e98a6940549d252
                                            • Instruction Fuzzy Hash: 6621DB33948A29B7CB225A94DC06EDFBA68AF00772F100251FD04BA191D7359E44B7D9
                                            Function 00052271 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 132registryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 000523A2
                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000001,00000000,?,?,00020006,00000000,?,00000001,00000000,?), ref: 000523B1
                                              • Part of subcall function 000454AE: RegCreateKeyExW.ADVAPI32(00000001,00000000,00000000,00000000,00000000,00000001,00000000,?,00000000,00000001,?,?,000522E9,?,00000000,00020006), ref: 000454D3
                                            Strings
                                            • Failed to write volatile reboot required registry key., xrefs: 000522ED
                                            • Failed to update resume mode., xrefs: 00052386
                                            • Failed to delete registration key: %ls, xrefs: 00052350
                                            • %ls.RebootRequired, xrefs: 000522BF
                                            • Failed to open registration key., xrefs: 000523E7
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Close$Create
                                            • String ID: %ls.RebootRequired$Failed to delete registration key: %ls$Failed to open registration key.$Failed to update resume mode.$Failed to write volatile reboot required registry key.
                                            • API String ID: 359002179-2517785395
                                            • Opcode ID: 9a228f26002a48b395038e28b4dec72b4a7d62090e01f6065ce91b9e65209800
                                            • Instruction ID: edac227a10ad93803e661647c670dd8ead0a994e96e23e7d4cfe5891d0e8eeb0
                                            • Opcode Fuzzy Hash: 9a228f26002a48b395038e28b4dec72b4a7d62090e01f6065ce91b9e65209800
                                            • Instruction Fuzzy Hash: C7417F76900714FBDF22AFA0DC06EAF7BB9BF41712F100429F94162062D7769B58EB51
                                            Function 0006F398 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 105comCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CoCreateInstance.OLE32(000A4514,00000000,00000017,000A4524,?,?,00000000,00000000,?,?,?,?,?,0006F9BE,00000000,00000000), ref: 0006F3D0
                                            Strings
                                            • Failed to create IBackgroundCopyManager., xrefs: 0006F3DC
                                            • Failed to set notification flags for BITS job., xrefs: 0006F422
                                            • Failed to create BITS job., xrefs: 0006F40A
                                            • WixBurn, xrefs: 0006F3FB
                                            • Failed to set progress timeout., xrefs: 0006F43A
                                            • Failed to set BITS job to foreground., xrefs: 0006F451
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CreateInstance
                                            • String ID: Failed to create BITS job.$Failed to create IBackgroundCopyManager.$Failed to set BITS job to foreground.$Failed to set notification flags for BITS job.$Failed to set progress timeout.$WixBurn
                                            • API String ID: 542301482-468763447
                                            • Opcode ID: c30eb6b45ac6c22a94227e4bf51d69366e99a9224ad617b49ad0c789e689ac37
                                            • Instruction ID: 134a2b2dec023afbd42e9a065ff262c96e0531a52301c8aee9dc4612ef0c7700
                                            • Opcode Fuzzy Hash: c30eb6b45ac6c22a94227e4bf51d69366e99a9224ad617b49ad0c789e689ac37
                                            • Instruction Fuzzy Hash: 5131C435E00616AFDB14DBA8D885EBFBBF5EF89710B104169FA01EB351CA70ED018B90
                                            Function 0005F0D7 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 122COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNEL32(00000000,?,?,00000001,0008E500,?,00000001,000000FF,?,?,00000000,00000000,00000001,00000000,?,00059106), ref: 0005F20D
                                            Strings
                                            • UX aborted elevation requirement., xrefs: 0005F115
                                            • c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp, xrefs: 0005F10B
                                            • Failed to elevate., xrefs: 0005F1EF
                                            • Failed to create pipe name and client token., xrefs: 0005F141
                                            • Failed to create pipe and cache pipe., xrefs: 0005F15D
                                            • Failed to connect to elevated child process., xrefs: 0005F1F6
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID: Failed to connect to elevated child process.$Failed to create pipe and cache pipe.$Failed to create pipe name and client token.$Failed to elevate.$UX aborted elevation requirement.$c:\agent\_work\36\s\wix\src\burn\engine\elevation.cpp
                                            • API String ID: 2962429428-2894792899
                                            • Opcode ID: 9f67902b94a34185eac18f6ff56fe8566db2b9da93dabc4216136576687f49e3
                                            • Instruction ID: 80eb2d74799f283a61d6da7f85ad73143be90e6e7d3567b1499d8126c8842405
                                            • Opcode Fuzzy Hash: 9f67902b94a34185eac18f6ff56fe8566db2b9da93dabc4216136576687f49e3
                                            • Instruction Fuzzy Hash: C6313D72645A23FAEB25A260DD46FFF765CEB00731F100225FE05BB1C2DB6A9D084298
                                            Function 0004902C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 91COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,?,?,?,000475EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 0004903E
                                            • LeaveCriticalSection.KERNEL32(00000000,00000000,00000100,00000000,?,?,?,000475EF,00000100,00000100,00000000,?,00000001,00000000,00000100), ref: 0004911D
                                            Strings
                                            • Failed to format value '%ls' of variable: %ls, xrefs: 000490E7
                                            • Failed to get value as string for variable: %ls, xrefs: 0004910C
                                            • *****, xrefs: 000490D9, 000490E6
                                            • Failed to get variable: %ls, xrefs: 0004907F
                                            • Failed to get unformatted string., xrefs: 000490AE
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: *****$Failed to format value '%ls' of variable: %ls$Failed to get unformatted string.$Failed to get value as string for variable: %ls$Failed to get variable: %ls
                                            • API String ID: 3168844106-2873099529
                                            • Opcode ID: fd6defd6e69754cee8e77bc6510ec8b7ef65a799ed7b2a7899ee8da01eebb090
                                            • Instruction ID: eb2ce0463814b558c2398b70d1c1a7bde213391aea2ce9dc2cd664a3797651f3
                                            • Opcode Fuzzy Hash: fd6defd6e69754cee8e77bc6510ec8b7ef65a799ed7b2a7899ee8da01eebb090
                                            • Instruction Fuzzy Hash: 8531C3B290062AFFDF216F50CC0AB9F7BA4BF14325F104235FA046A151D775EA509BD9
                                            Function 00056306 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 64COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 000450E9: GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                              • Part of subcall function 000450E9: RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                            • _memcpy_s.LIBCMT ref: 00056357
                                            • _memcpy_s.LIBCMT ref: 0005636A
                                            • _memcpy_s.LIBCMT ref: 00056385
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: _memcpy_s$Heap$AllocateProcess
                                            • String ID: Failed to allocate memory for message.$c:\agent\_work\36\s\wix\src\burn\engine\pipe.cpp$crypt32.dll
                                            • API String ID: 886498622-4208266268
                                            • Opcode ID: 004f2d7684f28d61142b41c077bdf6d01a62d718a1a2d0843b220b6f6cd67e72
                                            • Instruction ID: 44035dd128bb4654c6eae9b7abd3cb2a9a9829d25c2590894ae58c6e7a2291f4
                                            • Opcode Fuzzy Hash: 004f2d7684f28d61142b41c077bdf6d01a62d718a1a2d0843b220b6f6cd67e72
                                            • Instruction Fuzzy Hash: 171173B750121DAFDB01EE94CC82DEBB7ACEF04711B00452AFA14DB142DBB5EA548BE4
                                            Function 000882C2 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseErrorExecuteHandleLastShell
                                            • String ID: <$PDu$c:\agent\_work\36\s\wix\src\libs\dutil\shelutil.cpp
                                            • API String ID: 3023784893-1716625543
                                            • Opcode ID: 0c64d46d71e194ec770cca40a9d9e689668fcb4e6cd9d172cbb2f50ce2768ea8
                                            • Instruction ID: 66799911a8c9b58e6c76ed2d43261eed22f698a2f9337bf80a25e950f0af1bde
                                            • Opcode Fuzzy Hash: 0c64d46d71e194ec770cca40a9d9e689668fcb4e6cd9d172cbb2f50ce2768ea8
                                            • Instruction Fuzzy Hash: D421E7B5E01229ABCB10DF98D944ADEBBF8BB08B40F50811AF945E7340E7749A40CFA4
                                            Function 0007312E Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetLastError.KERNEL32(?,?,00073125,000737FC), ref: 0007313C
                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0007314A
                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00073163
                                            • SetLastError.KERNEL32(00000000,?,00073125,000737FC), ref: 000731B5
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLastValue___vcrt_
                                            • String ID:
                                            • API String ID: 3852720340-0
                                            • Opcode ID: 930c3bd9ec83287b2513f1f76fbed1ca87de682c007c01b730325d15c49aff48
                                            • Instruction ID: 8ebd9bb909b6376649eeae52bb16cbfbf21eb1f0aa7244c23bb4135a6098d1aa
                                            • Opcode Fuzzy Hash: 930c3bd9ec83287b2513f1f76fbed1ca87de682c007c01b730325d15c49aff48
                                            • Instruction Fuzzy Hash: 9E014732F1A7526EBA692774BC85E9A2794EF037B4720C239F42C480E1EF5D4D407148
                                            Function 0008B12C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 000450E9: GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                              • Part of subcall function 000450E9: RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008B289
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008B294
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008B29F
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 0008B15F
                                            • `<u, xrefs: 0008B27E
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: FreeString$Heap$AllocateProcess
                                            • String ID: `<u$c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp
                                            • API String ID: 2724874077-571412331
                                            • Opcode ID: 6920d56a766b6f8ff577cf36d3996b3ce3a3a51851fdff3dd2bfc093ff0dc87d
                                            • Instruction ID: 046c5c6062dcf8f5cfc6798f0c740100e0c23dec8bb1ff12ac89b5ecc0190970
                                            • Opcode Fuzzy Hash: 6920d56a766b6f8ff577cf36d3996b3ce3a3a51851fdff3dd2bfc093ff0dc87d
                                            • Instruction Fuzzy Hash: 82519371E0122AEFCF21EBA4C884FAEB7B8BF44754F114168E945AB151DB71EE01CB94
                                            Function 0008B029 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 000450E9: GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                              • Part of subcall function 000450E9: RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008B10C
                                            • SysFreeString.OLEAUT32(?), ref: 0008B117
                                            • SysFreeString.OLEAUT32(00000000), ref: 0008B122
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp, xrefs: 0008B056
                                            • `<u, xrefs: 0008B101
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: FreeString$Heap$AllocateProcess
                                            • String ID: `<u$c:\agent\_work\36\s\wix\src\libs\dutil\atomutil.cpp
                                            • API String ID: 2724874077-571412331
                                            • Opcode ID: b5f506e9c32cfd42a43890dced11fffbb9ce79fb021688af7f428863df19234e
                                            • Instruction ID: 3113cc4e26bbb72b8305eab54ae9ec07dc6055126add1a6000afb5b670bb1f4f
                                            • Opcode Fuzzy Hash: b5f506e9c32cfd42a43890dced11fffbb9ce79fb021688af7f428863df19234e
                                            • Instruction Fuzzy Hash: 0D31A531E0052AABCB21AB95CC85BAFBBB8BF41750F114160F990AB251DB71EE05CF91
                                            Function 0004736B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 78COMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • CompareStringW.KERNEL32(0000007F,00001000,?,000000FF,version.dll,000000FF,?,?,00000000,0004828E,0004828E,?,00047301,?,?,00000000), ref: 000473A7
                                            • GetLastError.KERNEL32(?,00047301,?,?,00000000,?,?,0004828E,?,00049C40,?,?,?,?,?), ref: 000473D6
                                            Strings
                                            • Failed to compare strings., xrefs: 00047404
                                            • version.dll, xrefs: 00047399
                                            • c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp, xrefs: 000473FA
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CompareErrorLastString
                                            • String ID: Failed to compare strings.$c:\agent\_work\36\s\wix\src\burn\engine\variable.cpp$version.dll
                                            • API String ID: 1733990998-34241861
                                            • Opcode ID: 7da3fbf4b95ebba0a3cfc3d7e21641d4aeca7cfd1dc5fce2037197ee30f32a79
                                            • Instruction ID: 1de530130f98603ea6a2c09ed86d9f34b0ce4c272c94a9b8d290f67a231b712c
                                            • Opcode Fuzzy Hash: 7da3fbf4b95ebba0a3cfc3d7e21641d4aeca7cfd1dc5fce2037197ee30f32a79
                                            • Instruction Fuzzy Hash: 3E210473608125ABC7218F98CD45A6EBBA4FF45761B210238FA69AB2C1D770EE01D794
                                            Function 0006F2D1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                            Download Yara Rule
                                            APIs
                                            • InitializeCriticalSection.KERNEL32(00000008,00000000,00000000,?,0006FA29,?,?,?,?,?,00000000,00000000,?), ref: 0006F2EB
                                            • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,0006FA29,?,?,?,?,?,00000000,00000000,?), ref: 0006F2F6
                                            • GetLastError.KERNEL32(?,0006FA29,?,?,?,?,?,00000000,00000000,?), ref: 0006F303
                                            Strings
                                            • Failed to create BITS job complete event., xrefs: 0006F331
                                            • c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp, xrefs: 0006F327
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CreateCriticalErrorEventInitializeLastSection
                                            • String ID: Failed to create BITS job complete event.$c:\agent\_work\36\s\wix\src\burn\engine\bitsengine.cpp
                                            • API String ID: 3069647169-1975467286
                                            • Opcode ID: e5a32f4a57ad5853b503775d70d21b6dbf4d472c83778f0f7b99e7c49c248a0c
                                            • Instruction ID: a6f38e5acafc8e892a563a89e0928ff2d67c711b90b30babf37d14c1b5b74ba1
                                            • Opcode Fuzzy Hash: e5a32f4a57ad5853b503775d70d21b6dbf4d472c83778f0f7b99e7c49c248a0c
                                            • Instruction Fuzzy Hash: BF01D476641632BBD3109F99E809A8ABFD8FF4A761B004126FD48D7740E7B4D9008BE4
                                            Function 00086306 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 44libraryloaderCOMMON
                                            Download Yara Rule
                                            APIs
                                            • GetProcAddress.KERNEL32(SRSetRestorePointW,srclient.dll), ref: 00086331
                                            • GetLastError.KERNEL32(?,000466AA,00000001,?,?,00046227,?,?,?,?,0004712C,?,?,?,?), ref: 00086340
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\srputil.cpp, xrefs: 00086361
                                            • srclient.dll, xrefs: 0008630F
                                            • SRSetRestorePointW, xrefs: 00086326
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AddressErrorLastProc
                                            • String ID: SRSetRestorePointW$c:\agent\_work\36\s\wix\src\libs\dutil\srputil.cpp$srclient.dll
                                            • API String ID: 199729137-2477992140
                                            • Opcode ID: 83fec46dc9c956b09fb1f2cb548c5daa558cb77602203e40222e37b9235d1d2b
                                            • Instruction ID: 2b316e0240a2f58acd3cb98c4bb3efb705aeffcb5dd96e87881c97c873d1d0bf
                                            • Opcode Fuzzy Hash: 83fec46dc9c956b09fb1f2cb548c5daa558cb77602203e40222e37b9235d1d2b
                                            • Instruction Fuzzy Hash: 0B01D672A44632A3E37136D49D4D7AD2990BB12751F030130FE84AB282E6A79D4087D2
                                            Function 000491B3 Relevance: 7.5, APIs: 2, Strings: 3, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(00047083,WixBundleOriginalSource,?,?,0005C326,840F01E8,WixBundleOriginalSource,?,000AEBC0,?,00000000,0004710B,00000001,?,?,0004710B), ref: 000491BF
                                            • LeaveCriticalSection.KERNEL32(00047083,00047083,00000000,00000000,?,?,0005C326,840F01E8,WixBundleOriginalSource,?,000AEBC0,?,00000000,0004710B,00000001,?), ref: 00049226
                                            Strings
                                            • Failed to get value of variable: %ls, xrefs: 000491F9
                                            • Failed to get value as string for variable: %ls, xrefs: 00049215
                                            • WixBundleOriginalSource, xrefs: 000491BB
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to get value as string for variable: %ls$Failed to get value of variable: %ls$WixBundleOriginalSource
                                            • API String ID: 3168844106-30613933
                                            • Opcode ID: fc870a96270ad39ddf646c06c2765fcf3bfd6d1c3907e0e8ed49422d057939a3
                                            • Instruction ID: e7b7c943a93db780fa8defea8afd77c360b4250f88b3c17a8094fd931c61f2be
                                            • Opcode Fuzzy Hash: fc870a96270ad39ddf646c06c2765fcf3bfd6d1c3907e0e8ed49422d057939a3
                                            • Instruction Fuzzy Hash: 15018FB2940129FBCF215F40CD09A8F3AA4EF10765F104171FD04AA121C37ADE10A7D9
                                            Function 000452AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74memoryCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetProcessHeap.KERNEL32(00000000,00000000,80004005,00000000,00000000,00000100,?,00041EB7,00000000,80004005,00000000,80004005,00000000,000001C7,?,00041DFD), ref: 000452C9
                                            • HeapReAlloc.KERNEL32(00000000,?,00041EB7,00000000,80004005,00000000,80004005,00000000,000001C7,?,00041DFD,000001C7,00000100,?,80004005,00000000), ref: 000452D0
                                              • Part of subcall function 000450E9: GetProcessHeap.KERNEL32(?,000001C7,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 000450FA
                                              • Part of subcall function 000450E9: RtlAllocateHeap.NTDLL(00000000,?,00042D50,?,00000001,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045101
                                              • Part of subcall function 00045369: GetProcessHeap.KERNEL32(00000000,000001C7,?,00042CA9,000001C7,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045371
                                              • Part of subcall function 00045369: HeapSize.KERNEL32(00000000,?,00042CA9,000001C7,80004005,8007139F,?,?,00085417,8007139F,?,00000000,00000000,8007139F), ref: 00045378
                                            • _memcpy_s.LIBCMT ref: 0004531C
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\memutil.cpp, xrefs: 0004535D
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Heap$Process$AllocAllocateSize_memcpy_s
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\memutil.cpp
                                            • API String ID: 3406509257-2907297377
                                            • Opcode ID: f48bd0fcf025773b1f97d7796197968a3146a06d45cf130ec7c568c01d4cd389
                                            • Instruction ID: 8580c7a84c21354cd726a75b74da581333bc06ddfd7e0c9e39db8a106a6475f6
                                            • Opcode Fuzzy Hash: f48bd0fcf025773b1f97d7796197968a3146a06d45cf130ec7c568c01d4cd389
                                            • Instruction Fuzzy Hash: C11103B2501E18BBDF226F68DC449AE3A99AF417A3B054734F8149B263D7B18E5093D8
                                            Function 00044053 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49fileCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateFileW.KERNEL32(00000000,00000080,00000001,00000000,00000003,00000080,00000000,000002C0,00000000,?,0006A7DB,00000000,00000088,000002C0,BundleCachePath,00000000), ref: 00044087
                                            • GetLastError.KERNEL32(?,0006A7DB,00000000,00000088,000002C0,BundleCachePath,00000000,000002C0,BundleVersion,000000B8,000002C0,EngineVersion,000002C0,000000B0), ref: 00044094
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CreateErrorFileLast
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                            • API String ID: 1214770103-1339450348
                                            • Opcode ID: f6ba77fa07f5db61c485144d01ddef98165222a55db72e092c56f183b129d219
                                            • Instruction ID: 7d54ef238f06ed181e2dc5ad388af1e23cebd62008b53072376df319025b1865
                                            • Opcode Fuzzy Hash: f6ba77fa07f5db61c485144d01ddef98165222a55db72e092c56f183b129d219
                                            • Instruction Fuzzy Hash: BC0126B2A40130B7E33126949C4AFBE6558AB00BA0F014230FF84BF1C0D6B55C6087E9
                                            Function 00061055 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34threadwindowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostThreadMessageW.USER32(?,00009005,?,00000000), ref: 0006106A
                                            • GetLastError.KERNEL32 ref: 00061074
                                            Strings
                                            • Failed to post shutdown message., xrefs: 000610A2
                                            • c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp, xrefs: 00061098
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorLastMessagePostThread
                                            • String ID: Failed to post shutdown message.$c:\agent\_work\36\s\wix\src\burn\engine\engineforapplication.cpp
                                            • API String ID: 2609174426-3792247793
                                            • Opcode ID: 9d4f8ac643df78f3aab65eb05611fe58ee4922bdf6f25fcb56e170e14d8c24d9
                                            • Instruction ID: 31a6c1a6da58a8188aaba909ad41177157c91ef2d780b6e1e6e748755a5aca63
                                            • Opcode Fuzzy Hash: 9d4f8ac643df78f3aab65eb05611fe58ee4922bdf6f25fcb56e170e14d8c24d9
                                            • Instruction Fuzzy Hash: 65F0EC3364177467EB202AA59C0DECB7BD4BF00BA1B024011FE84BF182E655DD4047D4
                                            Function 0006238E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 34COMMON
                                            Download Yara Rule
                                            APIs
                                            • SetEvent.KERNEL32(0008E478,00000000,?,000632E3,?,00000000,?,0004DF87,?,000470CB,?,000591E6,?,?,000470CB,?), ref: 00062398
                                            • GetLastError.KERNEL32(?,000632E3,?,00000000,?,0004DF87,?,000470CB,?,000591E6,?,?,000470CB,?,0004710B,00000001), ref: 000623A2
                                            Strings
                                            • Failed to set begin operation event., xrefs: 000623D0
                                            • c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp, xrefs: 000623C6
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorEventLast
                                            • String ID: Failed to set begin operation event.$c:\agent\_work\36\s\wix\src\burn\engine\cabextract.cpp
                                            • API String ID: 3848097054-2329002262
                                            • Opcode ID: daed59ba46839b33c549b86cf14c6bc61c0c64ec7c54d585036afa6c5cdc5672
                                            • Instruction ID: 22bca00e18f63034b3489ac022994eb0a02c5d8ac506d1c77f95fe729f37cef9
                                            • Opcode Fuzzy Hash: daed59ba46839b33c549b86cf14c6bc61c0c64ec7c54d585036afa6c5cdc5672
                                            • Instruction Fuzzy Hash: CCF05C33941A7063A22026949D06ACB76C85F00B62B010121FE40FB342E7599E0043E5
                                            Function 000812DC Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                            Download Yara Rule
                                            APIs
                                            • GetConsoleOutputCP.KERNEL32(91776666,?,00000000,000AB9F8), ref: 0008133F
                                              • Part of subcall function 0007CE00: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00080FB5,?,00000000,-00000008), ref: 0007CEAC
                                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0008159A
                                            • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 000815E2
                                            • GetLastError.KERNEL32 ref: 00081685
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                            • String ID:
                                            • API String ID: 2112829910-0
                                            • Opcode ID: 1dfad7922b4c60996e7d5467db2649c602a0621e37cd75b1e156e2b08bfd387b
                                            • Instruction ID: 5d78278398e68d495e8dc56e56cb4889a87e56a7e4626c70cc56f36db3b2178f
                                            • Opcode Fuzzy Hash: 1dfad7922b4c60996e7d5467db2649c602a0621e37cd75b1e156e2b08bfd387b
                                            • Instruction Fuzzy Hash: E5D169B5D006489FCF15DFA8D880AEDBBB9FF49304F18452AE496E7351E730A952CB50
                                            Function 00049133 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 0004913F
                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 000491A6
                                            Strings
                                            • Failed to get value of variable: %ls, xrefs: 00049179
                                            • Failed to get value as numeric for variable: %ls, xrefs: 00049195
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to get value as numeric for variable: %ls$Failed to get value of variable: %ls
                                            • API String ID: 3168844106-4270472870
                                            • Opcode ID: 8a90c47ce3e65d08199e67049c593a8bdcd5f4af84b7ffe793e0505ebc3ccf14
                                            • Instruction ID: af860804c293f4a91fb9f46e778c45ee5d44d9c348924318f2ee0dc75eed22e8
                                            • Opcode Fuzzy Hash: 8a90c47ce3e65d08199e67049c593a8bdcd5f4af84b7ffe793e0505ebc3ccf14
                                            • Instruction Fuzzy Hash: 30012CB294112AFBDF215F94CC09B9F3AA8AF10765F104131FD04AA221C63ADE21A7D9
                                            Function 000492A2 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(?), ref: 000492AE
                                            • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 00049315
                                            Strings
                                            • Failed to get value of variable: %ls, xrefs: 000492E8
                                            • Failed to get value as version for variable: %ls, xrefs: 00049304
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to get value as version for variable: %ls$Failed to get value of variable: %ls
                                            • API String ID: 3168844106-1851729331
                                            • Opcode ID: 087833a1a9d2886833994b7cdd1b5740ca0af0276179491c3f0f6c0c610c977b
                                            • Instruction ID: d220509d4f6e377b9c7a6336b47b57f1e4ea9517dddac5b7b7887a3e8aff7fef
                                            • Opcode Fuzzy Hash: 087833a1a9d2886833994b7cdd1b5740ca0af0276179491c3f0f6c0c610c977b
                                            • Instruction Fuzzy Hash: 68018FB6940129FBCF226F40CD0AA8F3BA4AF01765F008130FD04AA161C77ADF10A7D8
                                            Function 0004F19E Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(000000D0,?,000000B8,00000000,?,00058C6F,000000B8,00000000,?,00000000,75C0B390), ref: 0004F1AD
                                            • LeaveCriticalSection.KERNEL32(000000D0,?,00058C6F,000000B8,00000000,?,00000000,75C0B390), ref: 0004F1D0
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp, xrefs: 0004F1E9
                                            • Engine active cannot be changed because it was already in that state., xrefs: 0004F1F3
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Engine active cannot be changed because it was already in that state.$c:\agent\_work\36\s\wix\src\burn\engine\userexperience.cpp
                                            • API String ID: 3168844106-3237756853
                                            • Opcode ID: b62121c7d9da5e11db101ee092e3d79736864fce624f6995843298f7920d5f5e
                                            • Instruction ID: d72e24f3af26c0c9e7cab740e74de1b910e19d732ee649c48a94125b2cd8c09e
                                            • Opcode Fuzzy Hash: b62121c7d9da5e11db101ee092e3d79736864fce624f6995843298f7920d5f5e
                                            • Instruction Fuzzy Hash: A1F02276300306AF9B109EAADC84C93B3EDFB89315300443EF601CB640EE70FA0587A4
                                            Function 00049233 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • EnterCriticalSection.KERNEL32(00000000,00000000,00000006,?,0004B599,00000000,?,00000000,00000000,00000000,?,0004B3DA,00000000,?,00000000,00000000), ref: 0004923F
                                            • LeaveCriticalSection.KERNEL32(00000000,00000000,00000000,00000000,?,0004B599,00000000,?,00000000,00000000,00000000,?,0004B3DA,00000000,?,00000000), ref: 00049295
                                            Strings
                                            • Failed to get value of variable: %ls, xrefs: 00049265
                                            • Failed to copy value of variable: %ls, xrefs: 00049284
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CriticalSection$EnterLeave
                                            • String ID: Failed to copy value of variable: %ls$Failed to get value of variable: %ls
                                            • API String ID: 3168844106-2936390398
                                            • Opcode ID: 46b3b02816fd06241e1c4ba8d9a0bda5c04a853c10292fc4bdac5a9cfbab780b
                                            • Instruction ID: 7323a6f58f1673185a4e6385af4b682da3f23d0f0f42d4784e7efc90f7b054ec
                                            • Opcode Fuzzy Hash: 46b3b02816fd06241e1c4ba8d9a0bda5c04a853c10292fc4bdac5a9cfbab780b
                                            • Instruction Fuzzy Hash: 5FF04FB6940169BBCF126F54CD09ACE7B69EF40355F008130FD05AA221C776DE20ABD8
                                            Function 000451E5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 69COMMON
                                            Download Yara Rule
                                            APIs
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: _memcpy_s
                                            • String ID: crypt32.dll$wininet.dll
                                            • API String ID: 2001391462-82500532
                                            • Opcode ID: 59fd57b86b399a8220e6a168d4e9898f202bf9281ac66c6c48f50d2de842fe61
                                            • Instruction ID: 2b2faee704cc013993cde5c9476a931f52a2972123960381cf3bcb74a2191df7
                                            • Opcode Fuzzy Hash: 59fd57b86b399a8220e6a168d4e9898f202bf9281ac66c6c48f50d2de842fe61
                                            • Instruction Fuzzy Hash: 551160B1600619AFCF08DF59CDC599F7FA9EF99294B14812AFC059B352D270EA10CBE4
                                            Function 00088243 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46registryCOMMON
                                            Download Yara Rule
                                            APIs
                                              • Part of subcall function 0004582C: RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,00000000,00000001,000AEBD4,00000000,?,00088E2A,80000002,00000000,00020019,00000000,SOFTWARE\Policies\,00000000,00000000), ref: 00045840
                                            • RegCloseKey.ADVAPI32(00000000,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,00020019,00000000,?,?,?,?,?,000880E3,?), ref: 000882B4
                                            Strings
                                            • SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, xrefs: 0008825E
                                            • EnableLUA, xrefs: 00088286
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: CloseOpen
                                            • String ID: EnableLUA$SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
                                            • API String ID: 47109696-3551287084
                                            • Opcode ID: ec5f86e632389807e74afedc31427de8b6394ce44d4a7ef8b1ed082b11553e98
                                            • Instruction ID: 0e3da3b91817b67af963e84a5f42e07648558431f6624d54c3fec6572da666b5
                                            • Opcode Fuzzy Hash: ec5f86e632389807e74afedc31427de8b6394ce44d4a7ef8b1ed082b11553e98
                                            • Instruction Fuzzy Hash: A0017C72911634EBDB10BAA4CC0ABEEFAA8BB14761F608164A941B7051DBB45E80D7D4
                                            Function 0004821D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetCurrentProcess.KERNEL32(?), ref: 0004822F
                                              • Part of subcall function 00085CD2: GetModuleHandleW.KERNEL32(kernel32,IsWow64Process2,?,?,?,?,00047B69,00000000), ref: 00085CE7
                                              • Part of subcall function 00085CD2: GetProcAddress.KERNEL32(00000000), ref: 00085CEE
                                              • Part of subcall function 00085CD2: GetLastError.KERNEL32(?,?,?,?,00047B69,00000000), ref: 00085D09
                                              • Part of subcall function 0004799D: RegCloseKey.ADVAPI32(00000000,?,00000000,CommonFilesDir,?,80000002,SOFTWARE\Microsoft\Windows\CurrentVersion,00020119,00000000), ref: 00047A23
                                            Strings
                                            • Failed to set variant value., xrefs: 0004826C
                                            • Failed to get 64-bit folder., xrefs: 00048252
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: AddressCloseCurrentErrorHandleLastModuleProcProcess
                                            • String ID: Failed to get 64-bit folder.$Failed to set variant value.
                                            • API String ID: 3109562764-2681622189
                                            • Opcode ID: 842e13b95701f140e00509ab239efb933f574dbfe0a713e617efaa3a19dee61b
                                            • Instruction ID: 73d1de122f1d751d5390b00481f055fc9eedfe82dd9c1b8a9ee8cbe1d74de7c3
                                            • Opcode Fuzzy Hash: 842e13b95701f140e00509ab239efb933f574dbfe0a713e617efaa3a19dee61b
                                            • Instruction Fuzzy Hash: 7D01D6B2900638BBDF12A7A0CD069DD7778EF00761F208161F540BA011DB749F00D7C4
                                            Function 0007039F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                            Download Yara Rule
                                            APIs
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00070CC2
                                              • Part of subcall function 00072ECD: RaiseException.KERNEL32(?,?,?,00070CE4,?,00000000,00000000,?,?,?,?,?,00070CE4,?,000AB5D0), ref: 00072F2D
                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00070CDF
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: Exception@8Throw$ExceptionRaise
                                            • String ID: Unknown exception
                                            • API String ID: 3476068407-410509341
                                            • Opcode ID: 74a5a191dea1a713ad42b2eaede47cf1daf0a749eb923277737e91a766093890
                                            • Instruction ID: e3d106a25a0bf4e0a12d98502a792689e4693cb91c441040eca3190712ba7e82
                                            • Opcode Fuzzy Hash: 74a5a191dea1a713ad42b2eaede47cf1daf0a749eb923277737e91a766093890
                                            • Instruction Fuzzy Hash: FEF0AF34D0020DE7CB14AAA8ED1699E73AC9B01310B90C720B91CD6493EBB8EA4586E9
                                            Function 000440DE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetFileSizeEx.KERNEL32(00000000,00000000,00000000,74DF34C0,?,?,?,0004D729,?,?,?,00000000,00000000), ref: 000440F6
                                            • GetLastError.KERNEL32(?,?,?,0004D729,?,?,?,00000000,00000000,?,?,?,00000000,76EEC3F0,00000000), ref: 00044100
                                            Strings
                                            • c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp, xrefs: 00044124
                                            Memory Dump Source
                                            • Source File: 00000014.00000002.5092271648.0000000000041000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00040000, based on PE: true
                                            • Associated: 00000014.00000002.5092189693.0000000000040000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092414770.000000000008E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092536057.00000000000AE000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                            • Associated: 00000014.00000002.5092620117.00000000000B1000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_20_2_40000_VC_redist.jbxd
                                            Similarity
                                            • API ID: ErrorFileLastSize
                                            • String ID: c:\agent\_work\36\s\wix\src\libs\dutil\fileutil.cpp
                                            • API String ID: 464720113-1339450348
                                            • Opcode ID: 977ce8e0e41a2c116ac3d53cba33852b2d76cbda3c27dcf5f39aad4c24a2b2ef
                                            • Instruction ID: 6c0a3f70babb6fe5b8147080981660f74e22e40101663241c6090c02153801e6
                                            • Opcode Fuzzy Hash: 977ce8e0e41a2c116ac3d53cba33852b2d76cbda3c27dcf5f39aad4c24a2b2ef
                                            • Instruction Fuzzy Hash: F8F0C2F6A0023ABBA7208F84CD09A9AFBACFF14B60B014125FD44A7350E770AD40CBD4