Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
q9bzWO2X1r.msi

Overview

General Information

Sample name:q9bzWO2X1r.msi
renamed because original name is a hash value
Original sample name:8f04aa009c4431c6f5f7d7e9081862404b78bc4da0b59944706d0acc86dcfec0.msi
Analysis ID:1579136
MD5:43a80979e479ca95d6438d5b01554eff
SHA1:ce76f966151ca4e1693c2b0a8de999a792299f70
SHA256:8f04aa009c4431c6f5f7d7e9081862404b78bc4da0b59944706d0acc86dcfec0
Tags:cubermo-comLegionLoadermsiRobotDropperuser-johnk3r
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Query firmware table information (likely to detect VMs)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 7404 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\q9bzWO2X1r.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 7440 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7560 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 7748 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 8064 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 8084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 8172 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 8180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 8076 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7748, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7748, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7748, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.164.25, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7560, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7748, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7560, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 7748, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-20T22:18:23.137302+010028292021A Network Trojan was detected192.168.2.449731172.67.164.25443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.6% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{25141F70-E594-4AAF-AF96-6FC4779FE34B}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000000.1904289176.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000000.1906961647.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: ucrtbase.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1914516294.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000000.1906961647.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000000.1904289176.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012DA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,12_2_00007FFE012DA330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49731 -> 172.67.164.25:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: cubermo.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: cubermo.comContent-Length: 71Cache-Control: no-cache
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1851181805.0000000005366000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1851181805.0000000005211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1851181805.0000000005366000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000C.00000002.1914516294.00000001802BD000.00000002.00000001.01000000.00000008.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1851181805.0000000005211000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.drString found in binary or memory: https://cubermo.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1851181805.0000000005366000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1851181805.00000000058D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr, ImporterREDServer.exe.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownHTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5dfe12.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69E.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI72B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI76B.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7AA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7EA.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI839.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI878.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2652.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{25141F70-E594-4AAF-AF96-6FC4779FE34B}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI315F.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3170.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5dfe15.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\5dfe15.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI69E.tmpJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_000000014001222012_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_000000014000839012_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140007FC012_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012DF9B012_2_00007FFE012DF9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0130F9DA12_2_00007FFE0130F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F220812_2_00007FFE012F2208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012DE8B012_2_00007FFE012DE8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0130288012_2_00007FFE01302880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012E60D012_2_00007FFE012E60D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F434012_2_00007FFE012F4340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012EABB012_2_00007FFE012EABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0130A27C12_2_00007FFE0130A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F633812_2_00007FFE012F6338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01302D7012_2_00007FFE01302D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0130BDA012_2_00007FFE0130BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE013095A812_2_00007FFE013095A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012ECDF012_2_00007FFE012ECDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F547012_2_00007FFE012F5470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012E946012_2_00007FFE012E9460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F0C6012_2_00007FFE012F0C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012E644012_2_00007FFE012E6440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F6C8412_2_00007FFE012F6C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE013044E012_2_00007FFE013044E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012EBCD012_2_00007FFE012EBCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012E8FB012_2_00007FFE012E8FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F478012_2_00007FFE012F4780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012DC78012_2_00007FFE012DC780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012DD81012_2_00007FFE012DD810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0130B69812_2_00007FFE0130B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012EDF1012_2_00007FFE012EDF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F071012_2_00007FFE012F0710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012F3F0012_2_00007FFE012F3F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE1A53750812_2_00007FFE1A537508
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs q9bzWO2X1r.msi
Source: q9bzWO2X1r.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs q9bzWO2X1r.msi
Source: classification engineClassification label: mal68.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140010BE0 GetLastError,FormatMessageA,12_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012DA7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,12_2_00007FFE012DA7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CML3C63.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DFAC7EF0C4832B8CA6.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\q9bzWO2X1r.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{25141F70-E594-4AAF-AF96-6FC4779FE34B}Jump to behavior
Source: q9bzWO2X1r.msiStatic file information: File size 60337152 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000000.1904289176.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000000.1906961647.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: ucrtbase.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1914516294.00000001802BD000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000000.1906961647.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000000.1904289176.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: q9bzWO2X1r.msi, 5dfe15.msi.1.dr
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSI3170.tmp.1.drStatic PE information: section name: .fptable
Source: MSI69E.tmp.1.drStatic PE information: section name: .fptable
Source: MSI72B.tmp.1.drStatic PE information: section name: .fptable
Source: MSI76B.tmp.1.drStatic PE information: section name: .fptable
Source: MSI7AA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI7EA.tmp.1.drStatic PE information: section name: .fptable
Source: MSI839.tmp.1.drStatic PE information: section name: .fptable
Source: MSI878.tmp.1.drStatic PE information: section name: .fptable
Source: MSI2652.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_035FBD8C push esp; ret 3_2_035FBD93
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_07D01B35 push eax; ret 3_2_07D01B49
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI878.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7EA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI72B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2652.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3170.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI839.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7AA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI76B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI878.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7EA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI72B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI3170.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI7AA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI2652.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI839.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI69E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI76B.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0130C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00007FFE0130C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\SysWOW64\msiexec.exeSystem information queried: FirmwareTableInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4541Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1114Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI878.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7EA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI72B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI3170.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI2652.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI839.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI7AA.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI69E.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI76B.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep count: 4541 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828Thread sleep count: 1114 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7868Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7848Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE012DA330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,12_2_00007FFE012DA330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 5dfe15.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6429D2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF6429D2ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6429D2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF6429D2984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6429D2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF6429D2ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6429D3074 SetUnhandledExceptionFilter,9_2_00007FF6429D3074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140011F24 SetUnhandledExceptionFilter,12_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01322CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFE01322CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE1A54004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFE1A54004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss3245.ps1" -propfile "c:\users\user\appdata\local\temp\msi3232.txt" -scriptfile "c:\users\user\appdata\local\temp\scr3233.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr3234.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pss3245.ps1" -propfile "c:\users\user\appdata\local\temp\msi3232.txt" -scriptfile "c:\users\user\appdata\local\temp\scr3233.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scr3234.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,12_2_00007FFE012FEFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6429D2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00007FF6429D2DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Scripting		1
DLL Side-Loading		1
Disable or Modify Tools		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
DLL Side-Loading		1
Windows Service		1
Deobfuscate/Decode Files or Information		LSASS Memory11
Peripheral Device Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Windows Service		11
Process Injection		2
Obfuscated Files or Information		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Timestomp		NTDS24
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets111
Security Software Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
Masquerading		DCSync121
Virtualization/Sandbox Evasion		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job121
Virtualization/Sandbox Evasion		Proc Filesystem1
Application Window Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
Process Injection		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579136 Sample: q9bzWO2X1r.msi Startdate: 20/12/2024 Architecture: WINDOWS Score: 68 49 cubermo.com 2->49 57 Suricata IDS alerts for network traffic 2->57 59 AI detected suspicious sample 2->59 61 Sigma detected: Suspicious Script Execution From Temp Folder 2->61 63 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->63 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSI878.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSI839.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI7EA.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 cubermo.com 172.67.164.25, 443, 49731 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scr3233.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pss3245.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msi3232.txt, Unicode 14->47 dropped 53 Query firmware table information (likely to detect VMs) 14->53 55 Bypasses PowerShell execution policy 14->55 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSI2652.tmp0%ReversingLabs
C:\Windows\Installer\MSI3170.tmp0%ReversingLabs
C:\Windows\Installer\MSI69E.tmp0%ReversingLabs
C:\Windows\Installer\MSI72B.tmp0%ReversingLabs
C:\Windows\Installer\MSI76B.tmp0%ReversingLabs
C:\Windows\Installer\MSI7AA.tmp0%ReversingLabs
C:\Windows\Installer\MSI7EA.tmp0%ReversingLabs
C:\Windows\Installer\MSI839.tmp0%ReversingLabs
C:\Windows\Installer\MSI878.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cubermo.com
172.67.164.25
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://cubermo.com/updater.phptrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1851181805.0000000005366000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1851181805.0000000005366000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://go.micropowershell.exe, 00000003.00000002.1851181805.00000000058D3000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              https://contoso.com/powershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/Licensepowershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://contoso.com/Iconpowershell.exe, 00000003.00000002.1854475965.000000000627B000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://schemas.mickq9bzWO2X1r.msi, 5dfe15.msi.1.drfalse
                        		unknown
                        http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000C.00000002.1914516294.00000001802BD000.00000002.00000001.01000000.00000008.sdmpfalse
                          		unknown
                          https://aka.ms/pscore6lBkqpowershell.exe, 00000003.00000002.1851181805.0000000005211000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://aka.ms/winui2/webview2download/Reload():q9bzWO2X1r.msi, 5dfe15.msi.1.drfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1851181805.0000000005211000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://cubermo.com/updater.phpxq9bzWO2X1r.msi, 5dfe15.msi.1.drfalse
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1851181805.0000000005366000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    172.67.164.25
                                    		cubermo.comUnited States
                                    		13335CLOUDFLARENETUStrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1579136
                                    Start date and time:2024-12-20 22:17:16 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 8m 16s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:15
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:q9bzWO2X1r.msi
                                    renamed because original name is a hash value
                                    Original Sample Name:8f04aa009c4431c6f5f7d7e9081862404b78bc4da0b59944706d0acc86dcfec0.msi
                                    Detection:MAL
                                    Classification:mal68.evad.winMSI@17/91@1/1
                                    EGA Information:
                                    • Successful, ratio: 33.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 15
                                    • Number of non-executed functions: 197
                                    Cookbook Comments:
                                    • Found application associated with file extension: .msi

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target ImporterREDServer.exe, PID 8172 because there are no executed function
                                    • Execution Graph export aborted for target powershell.exe, PID 7748 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • VT rate limit hit for: q9bzWO2X1r.msi

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    16:18:23API Interceptor6x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    172.67.164.25file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                    • sqribble.com/admin

                                    Domains

                                    No context

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                    • 104.21.91.209
                                    https://p.usertrackjvg.top/usGet hashmaliciousHTMLPhisherBrowse
                                    • 104.21.39.136
                                    Setup (3).exe.zipGet hashmaliciousUnknownBrowse
                                    • 104.18.26.149
                                    https://contractorssteelform1flows.powerappsportals.com/Get hashmaliciousHTMLPhisherBrowse
                                    • 104.18.31.19
                                    file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                    • 172.67.197.170
                                    dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                                    • 104.20.3.235
                                    2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                                    • 104.20.3.235
                                    https://tekascend.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                    • 1.1.1.1
                                    YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                    • 104.20.22.46
                                    http://url4659.orders.vanillagift.com/ls/click?upn=u001.4gSefN7qGt7uZc-2BljvSfDuK9c6f7zz-2BRDdNLkOmxp-2BfCpVRV4q5JSM05F18NmhW9aTh4D-2B-2FvKc3l62XSGdMxHErqjDyHVaRGnhWtdaxelWfxz8x2-2FY7A4qgb3tzDonO-2BR4v55hRVWLW8mGedQ4WKyhGmLG6TdN0VE3FuoaMfqbWnIJZADjzcMmwi0-2FbwmmeKkdfIhUk0sBHSi9RcRmdsfuOZwL5O2zEB6UFf08dp06kJXruK-2BF70HVCIIa3GSMCo48RLkzWG8dEOH-2FBZmckwy2IyrmhGk7TORgwM5bk4PbUxQPoYKq7IdXZDoj7BBWFZXgs6KkXD1kVfgQOsMLEKQeTvK5ATiMGw5YUv9FTPZiWgh4O-2B6hR3uc5gCam5ygOCJsmG3ya5dOP3AzZxmtrQO2ixrFnkLK-2Bkk5ChvTn26C-2BioOkvRUSczMMaDc3goe-2FffK-2FLybPlPtaG8BM0aogkRmbjy7uKwhjOW-2BFQyWewVzg-3DIgAR_79LTZgGyJjQA0yKF2CHqblXBaDJuc2sNW7Piu5vjvmdwcqDrB-2Buw9ZQukwHO-2BFDa1Pj-2BnPyP1wnuiUj8o1jeVFZ-2B0yTi1w6olXhC5xGcnSuX-2FPX8EC9nfY-2B3npShVzZ4Fae90bxak04TDiCsiP7PmtAOagYeRI4FU2qDP2MtD3eIC1vtRjmGkonGMDUW1rPFYKa2pBviC8swsnzOU26q7ssqOo-2FLjO6-2B2IyWprhTXXBsBk2HZWehLV3F8Prl0XOgIIe0Oi6f3V8mliLO9NN8Iw-3D-3DGet hashmaliciousUnknownBrowse
                                    • 104.19.230.21

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    37f463bf4616ecd445d4a1937da06e19doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    • 172.67.164.25
                                    Fortexternal.exeGet hashmaliciousUnknownBrowse
                                    • 172.67.164.25
                                    676556be12ac3.vbsGet hashmaliciousMint StealerBrowse
                                    • 172.67.164.25
                                    PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.htaGet hashmaliciousMint StealerBrowse
                                    • 172.67.164.25
                                    ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                    • 172.67.164.25
                                    pjthjsdjgjrtavv.exeGet hashmaliciousVidarBrowse
                                    • 172.67.164.25
                                    FinTP-Update.exeGet hashmaliciousCobaltStrikeBrowse
                                    • 172.67.164.25
                                    hrupdate.exeGet hashmaliciousCobaltStrikeBrowse
                                    • 172.67.164.25
                                    hrupdate.exeGet hashmaliciousCobaltStrikeBrowse
                                    • 172.67.164.25

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeSetup.msiGet hashmaliciousUnknownBrowse
                                      build.msiGet hashmaliciousUnknownBrowse
                                        Setup.msiGet hashmaliciousUnknownBrowse
                                          New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_htmlGet hashmaliciousUnknownBrowse
                                            m9u08f2pMF.msiGet hashmaliciousUnknownBrowse
                                              cwqqRXEhZb.msiGet hashmaliciousUnknownBrowse
                                                Setup.msiGet hashmaliciousUnknownBrowse
                                                  file.exeGet hashmaliciousUnknownBrowse
                                                    file.exeGet hashmaliciousUnknownBrowse
                                                      installer.msiGet hashmaliciousUnknownBrowse

                                                        Created / dropped Files

                                                        C:\Config.Msi\5dfe14.rbs

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):20975
                                                        Entropy (8bit):5.7956948334877705
                                                        Encrypted:false
                                                        SSDEEP:384:te+16fYLdtTH5aQ8tfOnd1yD/NXovSSogoNNEkXKI2xdYARVbNz2dNP4B+B+O3of:te+16fYLdtTH5aQ8tfOnd1yD/NXovSSr
                                                        MD5:92DCAF764DC453C8D510EE03543343E5
                                                        SHA1:42BDD2F0F9C49D78E25792684E13D148C1385784
                                                        SHA-256:DB0E5158C03625E38F867928FA9B5BEAA05B6CDDA1D3F30C8C0E6BDFB082D6F4
                                                        SHA-512:279B846C92164CFDEC2AD1EF59543EB1E29A4B26CAF8AF38B34243E9EAF5C8EC7D1BA47409D2FE827AFB2B5E5524523173BC41646863EB6EB3208626AE62F1C7
                                                        Malicious:false
                                                        Preview:...@IXOS.@.....@M..Y.@.....@.....@.....@.....@.....@......&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}..App x installer..q9bzWO2X1r.msi.@.....@.....@.....@......icon_22.exe..&.{E9CB290E-752A-4229-A41F-83542B67B9E5}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{2

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):1360
                                                        Entropy (8bit):5.415059038751397
                                                        Encrypted:false
                                                        SSDEEP:24:3Uyt3WSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:ky9WSU4xymI4RfoUeW+mZ9tK8NWR82jD
                                                        MD5:FD6EFA8F14C5DC6D31919F10350E7E37
                                                        SHA1:19C81E14CD96499CA522E985EF49006061DDE189
                                                        SHA-256:9BCB3D1FF78418525F66B02DAD61C5A09975BF673C27EBD9EAB7AF1B3CACBCBE
                                                        SHA-512:EF44DB604F1990F96A422C4937D87CFA31C0793BC1E5B03EABFD464480633EACBB286A7DD31EE3250DCAC55585DC7E55EB4E504D44973A4E66D7A3AC13E4D0EA
                                                        Malicious:false
                                                        Preview:@...e.................................^..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkemyie1.5ho.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4h5lomy.dxl.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\msi3232.txt

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):96
                                                        Entropy (8bit):2.99798449505456
                                                        Encrypted:false
                                                        SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                        MD5:F26BF481CA203C7D611850139ACBEF41
                                                        SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                        SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                        SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                        Malicious:true
                                                        Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                        C:\Users\user\AppData\Local\Temp\pss3245.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):6668
                                                        Entropy (8bit):3.5127462716425657
                                                        Encrypted:false
                                                        SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                        MD5:30C30EF2CB47E35101D13402B5661179
                                                        SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                        SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                        SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                        Malicious:true
                                                        Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                        C:\Users\user\AppData\Local\Temp\scr3233.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\msiexec.exe
                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):250
                                                        Entropy (8bit):3.576902729499699
                                                        Encrypted:false
                                                        SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                        MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                        SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                        SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                        SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                        Malicious:true
                                                        Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):310928
                                                        Entropy (8bit):6.001677789306043
                                                        Encrypted:false
                                                        SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                        MD5:147B71C906F421AC77F534821F80A0C6
                                                        SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                        SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                        SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):117496
                                                        Entropy (8bit):6.136079902481222
                                                        Encrypted:false
                                                        SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                        MD5:F67792E08586EA936EBCAE43AAB0388D
                                                        SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                        SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                        SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):506008
                                                        Entropy (8bit):6.4284173495366845
                                                        Encrypted:false
                                                        SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                        MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                        SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                        SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                        SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Joe Sandbox View:
                                                        • Filename: Setup.msi, Detection: malicious, Browse
                                                        • Filename: build.msi, Detection: malicious, Browse
                                                        • Filename: Setup.msi, Detection: malicious, Browse
                                                        • Filename: New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html, Detection: malicious, Browse
                                                        • Filename: m9u08f2pMF.msi, Detection: malicious, Browse
                                                        • Filename: cwqqRXEhZb.msi, Detection: malicious, Browse
                                                        • Filename: Setup.msi, Detection: malicious, Browse
                                                        • Filename: file.exe, Detection: malicious, Browse
                                                        • Filename: file.exe, Detection: malicious, Browse
                                                        • Filename: installer.msi, Detection: malicious, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.596101286914553
                                                        Encrypted:false
                                                        SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                        MD5:919E653868A3D9F0C9865941573025DF
                                                        SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                        SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                        SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.640081558424349
                                                        Encrypted:false
                                                        SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                        MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                        SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                        SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                        SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11712
                                                        Entropy (8bit):6.6023398138369505
                                                        Encrypted:false
                                                        SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                        MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                        SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                        SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                        SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.614262942006268
                                                        Encrypted:false
                                                        SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                        MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                        SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                        SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                        SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.654155040985372
                                                        Encrypted:false
                                                        SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                        MD5:94788729C9E7B9C888F4E323A27AB548
                                                        SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                        SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                        SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):15304
                                                        Entropy (8bit):6.548897063441128
                                                        Encrypted:false
                                                        SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                        MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                        SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                        SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                        SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11712
                                                        Entropy (8bit):6.622041192039296
                                                        Encrypted:false
                                                        SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                        MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                        SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                        SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                        SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.730719514840594
                                                        Encrypted:false
                                                        SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                        MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                        SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                        SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                        SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.626458901834476
                                                        Encrypted:false
                                                        SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                        MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                        SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                        SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                        SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.577869728469469
                                                        Encrypted:false
                                                        SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                        MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                        SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                        SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                        SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11712
                                                        Entropy (8bit):6.6496318655699795
                                                        Encrypted:false
                                                        SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                        MD5:A038716D7BBD490378B26642C0C18E94
                                                        SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                        SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                        SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12736
                                                        Entropy (8bit):6.587452239016064
                                                        Encrypted:false
                                                        SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                        MD5:D75144FCB3897425A855A270331E38C9
                                                        SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                        SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                        SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):14280
                                                        Entropy (8bit):6.658205945107734
                                                        Encrypted:false
                                                        SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                        MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                        SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                        SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                        SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.621310788423453
                                                        Encrypted:false
                                                        SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                        MD5:808F1CB8F155E871A33D85510A360E9E
                                                        SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                        SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                        SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.7263193693903345
                                                        Encrypted:false
                                                        SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                        MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                        SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                        SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                        SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12744
                                                        Entropy (8bit):6.601327134572443
                                                        Encrypted:false
                                                        SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                        MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                        SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                        SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                        SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):14272
                                                        Entropy (8bit):6.519411559704781
                                                        Encrypted:false
                                                        SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                        MD5:E173F3AB46096482C4361378F6DCB261
                                                        SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                        SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                        SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.659079053710614
                                                        Encrypted:false
                                                        SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                        MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                        SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                        SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                        SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11200
                                                        Entropy (8bit):6.7627840671368835
                                                        Encrypted:false
                                                        SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                        MD5:0233F97324AAAA048F705D999244BC71
                                                        SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                        SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                        SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12224
                                                        Entropy (8bit):6.590253878523919
                                                        Encrypted:false
                                                        SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                        MD5:E1BA66696901CF9B456559861F92786E
                                                        SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                        SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                        SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.672720452347989
                                                        Encrypted:false
                                                        SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                        MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                        SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                        SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                        SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):13760
                                                        Entropy (8bit):6.575688560984027
                                                        Encrypted:false
                                                        SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                        MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                        SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                        SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                        SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.70261983917014
                                                        Encrypted:false
                                                        SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                        MD5:D175430EFF058838CEE2E334951F6C9C
                                                        SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                        SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                        SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12744
                                                        Entropy (8bit):6.599515320379107
                                                        Encrypted:false
                                                        SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                        MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                        SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                        SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                        SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.690164913578267
                                                        Encrypted:false
                                                        SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                        MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                        SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                        SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                        SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):11720
                                                        Entropy (8bit):6.615761482304143
                                                        Encrypted:false
                                                        SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                        MD5:735636096B86B761DA49EF26A1C7F779
                                                        SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                        SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                        SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12744
                                                        Entropy (8bit):6.627282858694643
                                                        Encrypted:false
                                                        SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                        MD5:031DC390780AC08F498E82A5604EF1EB
                                                        SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                        SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                        SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):15816
                                                        Entropy (8bit):6.435326465651674
                                                        Encrypted:false
                                                        SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                        MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                        SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                        SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                        SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):12232
                                                        Entropy (8bit):6.5874576656353145
                                                        Encrypted:false
                                                        SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                        MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                        SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                        SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                        SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):13768
                                                        Entropy (8bit):6.645869978118917
                                                        Encrypted:false
                                                        SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                        MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                        SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                        SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                        SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):61176
                                                        Entropy (8bit):5.850944458899023
                                                        Encrypted:false
                                                        SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                        MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                        SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                        SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                        SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):127224
                                                        Entropy (8bit):6.217127607919178
                                                        Encrypted:false
                                                        SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                        MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                        SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                        SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                        SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):418040
                                                        Entropy (8bit):6.1735291180760505
                                                        Encrypted:false
                                                        SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                        MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                        SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                        SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                        SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):698104
                                                        Entropy (8bit):6.463466021766765
                                                        Encrypted:false
                                                        SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                        MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                        SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                        SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                        SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):31480
                                                        Entropy (8bit):5.969706735107452
                                                        Encrypted:false
                                                        SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                        MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                        SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                        SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                        SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):103672
                                                        Entropy (8bit):5.851546804507911
                                                        Encrypted:false
                                                        SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                        MD5:129051E3B7B8D3CC55559BEDBED09486
                                                        SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                        SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                        SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):57488
                                                        Entropy (8bit):6.382541157520703
                                                        Encrypted:false
                                                        SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                        MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                        SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                        SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                        SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):4664568
                                                        Entropy (8bit):6.259383987199329
                                                        Encrypted:false
                                                        SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                        MD5:A6A89F55416DB79D9E13B82685A04D60
                                                        SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                        SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                        SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):215288
                                                        Entropy (8bit):6.050529290720027
                                                        Encrypted:false
                                                        SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                        MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                        SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                        SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                        SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ghiuoqfj.rar

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:RAR archive data, v5
                                                        Category:dropped
                                                        Size (bytes):412462
                                                        Entropy (8bit):7.999519780442931
                                                        Encrypted:true
                                                        SSDEEP:12288:27634PcA6GT5MwXu7x9GDw5GIFzIVx1OkS5+M:22IPcA6WMwe7vGD+GIFsdIEM
                                                        MD5:215BA0FF573A83BCE1AC79CFB0B0F279
                                                        SHA1:49B028FC1A8C17ED86BE46C1832CC38CA35B79C1
                                                        SHA-256:9DFE744D3A65C208836441BF48CC316F4774606A3D86BB9641A04DE41655A0A9
                                                        SHA-512:BF88F52C31FD5CD026F6DAA4740C805A3284D5B11F16670DBAA843C589DF73F1C86D3D908AC65C138A3FF683BF01FABC585D9E4B7DEDF0569A2B3EEC3DCA0AAE
                                                        Malicious:false
                                                        Preview:Rar!........!..... ..#q....X-...g...7f ..1V.U=.rK...@k-.}t.6y....'..D.T.s.0.|..i.Do?>p}a..x.N/;.J\S..a..9`..q......3...[_......b[|.4....kQ.Y.dD.*.Q....a.8c,.;J).....4H..I.d.}@.o....!...T...i.k.......[.2.U..nM~....#...mr...m;....Y..Jf.r...8..JAB5....ik|.J2..{..'X..a~;.....7.c.i^1~....E.-.Pf.....ch.q~.<....Y.p....a...&.......&.>.J@.ar..Q.'..>&.E.C.[bY.Q.....%...;.....lJ.B.....@..Nz?.16.,.@..hq.`v'3L!.E1.~$7..o....Apo..|d..?.T..^-.-Cc...U....D!..,w..7..c..vh|}...]q....cV....)_Zn..O........D.(.!....P..@..C{........!.u7/.%.L.....;$...A..f....,3......l..2...w..(AK. .]..b......$._.H.Z.....5 =..2.d..Q2..;.B....$.q..Oq..R...z/.?.mr. .C.$J.A@..x..w..R@.,.....$>*...$\........6.2}GciZ....J......@+.f.[.. .B".n.q...\hauH<..sx!..'...ih.1...8.........r~...,..-.b....}.~..jL.p..d..o...+.......T....0f..8....de..mZLHl_............H.T.H...3..'.../.........X....`1.*..#y......9.'......H.c..t.<S..5..mIf.k..C....Gv......:...A........Z......m..k8&q.go4....9.......h}E..

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):566704
                                                        Entropy (8bit):6.494428734965787
                                                        Encrypted:false
                                                        SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                        MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                        SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                        SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                        SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):22
                                                        Entropy (8bit):3.879664004902594
                                                        Encrypted:false
                                                        SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                        MD5:D9324699E54DC12B3B207C7433E1711C
                                                        SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                        SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                        SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                        Malicious:false
                                                        Preview:@echo off..Start "" %1

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes.jsa

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):12124160
                                                        Entropy (8bit):4.1175508751036585
                                                        Encrypted:false
                                                        SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                        MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                        SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                        SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                        SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                        Malicious:false
                                                        Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes_nocoops.jsa

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):12124160
                                                        Entropy (8bit):4.117842215789484
                                                        Encrypted:false
                                                        SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                        MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                        SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                        SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                        SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                        Malicious:false
                                                        Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.datatransfer.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):51389
                                                        Entropy (8bit):7.916683616123071
                                                        Encrypted:false
                                                        SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                        MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                        SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                        SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                        SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.desktop.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):12133334
                                                        Entropy (8bit):7.944474086295981
                                                        Encrypted:false
                                                        SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                        MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                        SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                        SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                        SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.instrument.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):41127
                                                        Entropy (8bit):7.961466748192397
                                                        Encrypted:false
                                                        SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                        MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                        SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                        SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                        SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.logging.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):113725
                                                        Entropy (8bit):7.928841651831531
                                                        Encrypted:false
                                                        SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                        MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                        SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                        SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                        SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.management.jmod

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Java jmod module version 1.0
                                                        Category:dropped
                                                        Size (bytes):896846
                                                        Entropy (8bit):7.923431656723031
                                                        Encrypted:false
                                                        SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                        MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                        SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                        SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                        SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                        Malicious:false
                                                        Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):639224
                                                        Entropy (8bit):6.219852228773659
                                                        Encrypted:false
                                                        SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                        MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                        SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                        SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                        SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):98224
                                                        Entropy (8bit):6.452201564717313
                                                        Encrypted:false
                                                        SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                        MD5:F34EB034AA4A9735218686590CBA2E8B
                                                        SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                        SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                        SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):37256
                                                        Entropy (8bit):6.297533243519742
                                                        Encrypted:false
                                                        SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                        MD5:135359D350F72AD4BF716B764D39E749
                                                        SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                        SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                        SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                        C:\Users\user\AppData\Roaming\Microsoft\Installer\{25141F70-E594-4AAF-AF96-6FC4779FE34B}\icon_22.exe

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                        Category:dropped
                                                        Size (bytes):372526
                                                        Entropy (8bit):4.467275942115759
                                                        Encrypted:false
                                                        SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                        MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                        SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                        SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                        SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                        Malicious:false
                                                        Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\5dfe12.msi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E9CB290E-752A-4229-A41F-83542B67B9E5}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 20 14:33:58 2024, Last Saved Time/Date: Fri Dec 20 14:33:58 2024, Last Printed: Fri Dec 20 14:33:58 2024, Number of Pages: 450
                                                        Category:dropped
                                                        Size (bytes):60337152
                                                        Entropy (8bit):7.202552595393978
                                                        Encrypted:false
                                                        SSDEEP:786432:wWZbjVmrjV7eIAtehOTZioZ4sdUuzt/NCaY2ksC:wWdVmrjV7eIvhOTZvRjVCa1t
                                                        MD5:43A80979E479CA95D6438D5B01554EFF
                                                        SHA1:CE76F966151CA4E1693C2B0A8DE999A792299F70
                                                        SHA-256:8F04AA009C4431C6F5F7D7E9081862404B78BC4DA0B59944706D0ACC86DCFEC0
                                                        SHA-512:EBAA90B74833B57138AAC8B87D22CECA771106E635A29373CD60CA297491C45555B7278396E2766706509D3595E54B84273126B89F6CD15E19C523204FDA2506
                                                        Malicious:false
                                                        Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                        C:\Windows\Installer\5dfe15.msi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E9CB290E-752A-4229-A41F-83542B67B9E5}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 20 14:33:58 2024, Last Saved Time/Date: Fri Dec 20 14:33:58 2024, Last Printed: Fri Dec 20 14:33:58 2024, Number of Pages: 450
                                                        Category:dropped
                                                        Size (bytes):60337152
                                                        Entropy (8bit):7.202552595393978
                                                        Encrypted:false
                                                        SSDEEP:786432:wWZbjVmrjV7eIAtehOTZioZ4sdUuzt/NCaY2ksC:wWdVmrjV7eIvhOTZvRjVCa1t
                                                        MD5:43A80979E479CA95D6438D5B01554EFF
                                                        SHA1:CE76F966151CA4E1693C2B0A8DE999A792299F70
                                                        SHA-256:8F04AA009C4431C6F5F7D7E9081862404B78BC4DA0B59944706D0ACC86DCFEC0
                                                        SHA-512:EBAA90B74833B57138AAC8B87D22CECA771106E635A29373CD60CA297491C45555B7278396E2766706509D3595E54B84273126B89F6CD15E19C523204FDA2506
                                                        Malicious:false
                                                        Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...N...:...;...<...=...>...?...@...A...D...C...K...E...F...G...H...I...J...""..L...M...e...O...P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                        C:\Windows\Installer\MSI2652.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):380520
                                                        Entropy (8bit):6.512348002260683
                                                        Encrypted:false
                                                        SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                        MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                        SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                        SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                        SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI315F.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):393114
                                                        Entropy (8bit):4.736576926482241
                                                        Encrypted:false
                                                        SSDEEP:3072:3c92AVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzj:3c93CANx6xPZX9mBC
                                                        MD5:B21EDE2E2458BC54BB1F25A347AA1FE8
                                                        SHA1:9D954EA118393D25FA14DBAC6D347818D292782F
                                                        SHA-256:F569847C8D9BEE1501F62350BC515C4BB79D99526D11896E6DF434549491FEC3
                                                        SHA-512:B980BA4617A0B57139522E9FA0BC0A12DC65324E6DCA21F4B5D4BD01F885C5726BED580AFCFB0C844147D4F97E9236D48BB503B16950E1F754B35F150D96C2F5
                                                        Malicious:false
                                                        Preview:...@IXOS.@.....@L..Y.@.....@.....@.....@.....@.....@......&.{25141F70-E594-4AAF-AF96-6FC4779FE34B}..App x installer..q9bzWO2X1r.msi.@.....@.....@.....@......icon_22.exe..&.{E9CB290E-752A-4229-A41F-83542B67B9E5}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}C.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}8.21:\Software\Coors Q Corporation\App x installer\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}N.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}U.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.d

                                                        C:\Windows\Installer\MSI3170.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):787808
                                                        Entropy (8bit):6.693392695195763
                                                        Encrypted:false
                                                        SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                        MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                        SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                        SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                        SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI69E.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI72B.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI76B.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI7AA.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI7EA.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1201504
                                                        Entropy (8bit):6.4557937684843365
                                                        Encrypted:false
                                                        SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                        MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                        SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                        SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                        SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI839.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\MSI878.tmp

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):1021792
                                                        Entropy (8bit):6.608727172078022
                                                        Encrypted:false
                                                        SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                        MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                        SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                        SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                        SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                        Malicious:false
                                                        Antivirus:
                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\SourceHash{25141F70-E594-4AAF-AF96-6FC4779FE34B}

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.1645614326194598
                                                        Encrypted:false
                                                        SSDEEP:12:JSbX72FjtAGiLIlHVRpZh/7777777777777777777777777vDHFwGmE8it/l0i8Q:JrQI5t6+iF
                                                        MD5:8CD8F123753432E712E1842C46C3498D
                                                        SHA1:A2D81A81B107BECC2DF657453F64842B690C2A7E
                                                        SHA-256:3FAAE4F0D72E7B3BE33FCAE0EA332CD6C58879CC21596BC1A359A223B25FFDA9
                                                        SHA-512:01E6B4C75569E101EEC00C1B32B8E766DB6166A3C1838A0C5C5AC1F54D1CAA2DB7256EC1FB7F2B35330A6D6A695894C5B92A40F1DB0E1C572E347389BA526E06
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5869498648117375
                                                        Encrypted:false
                                                        SSDEEP:48:AD8PhXuRc06WXJ0nT5nYQ2BAAECiCyVSCvo5MUX2ySCOTnWPG:phX13nTIZECe0XjqW
                                                        MD5:DDE0152A5090AA53C61AAF2A62962378
                                                        SHA1:CC0E184F48A3E0C98E7C94BDDF7FD67554867A03
                                                        SHA-256:12F68F8B1D9767FBA0BB69CB847AD71A07C3D314FF52CCBEF8D3EF2FE4065C99
                                                        SHA-512:AB24BB38E3DB80CBD67B4974CAF51DCD47B527876330F281530E2ADC7BC38B0AC5DDAC30BD392CB2131C23FD2B544C87FE17B3E064F2FEF7A9F13375FEC965B0
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):432221
                                                        Entropy (8bit):5.375173317995598
                                                        Encrypted:false
                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgaup:zTtbmkExhMJCIpErk
                                                        MD5:0554982B689118AB6FB4DCBA0DE653A6
                                                        SHA1:FBE2A6212060DBAED8722F1D2D605573A639755B
                                                        SHA-256:B317A792CBD67ADC217458EC637578F07BC91CBCFD917ADF5AA940FCD8168E36
                                                        SHA-512:74E611BD373594E8817A1796BB3963EC2999B95C1CA89B646E7305E4494155B613584BD2B18B530DEF0124303FD4E9C1A153BDA2AD359EC1B54C410497355F71
                                                        Malicious:false
                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                        C:\Windows\Temp\~DF1A5827DC9EA6270C.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF1AF456035137668B.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF488B7C4A56D9D330.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5869498648117375
                                                        Encrypted:false
                                                        SSDEEP:48:AD8PhXuRc06WXJ0nT5nYQ2BAAECiCyVSCvo5MUX2ySCOTnWPG:phX13nTIZECe0XjqW
                                                        MD5:DDE0152A5090AA53C61AAF2A62962378
                                                        SHA1:CC0E184F48A3E0C98E7C94BDDF7FD67554867A03
                                                        SHA-256:12F68F8B1D9767FBA0BB69CB847AD71A07C3D314FF52CCBEF8D3EF2FE4065C99
                                                        SHA-512:AB24BB38E3DB80CBD67B4974CAF51DCD47B527876330F281530E2ADC7BC38B0AC5DDAC30BD392CB2131C23FD2B544C87FE17B3E064F2FEF7A9F13375FEC965B0
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF5478EE9DF9F823EE.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF9BAA25165F9D9E2B.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DF9D099026EECBA6C3.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):20480
                                                        Entropy (8bit):1.5869498648117375
                                                        Encrypted:false
                                                        SSDEEP:48:AD8PhXuRc06WXJ0nT5nYQ2BAAECiCyVSCvo5MUX2ySCOTnWPG:phX13nTIZECe0XjqW
                                                        MD5:DDE0152A5090AA53C61AAF2A62962378
                                                        SHA1:CC0E184F48A3E0C98E7C94BDDF7FD67554867A03
                                                        SHA-256:12F68F8B1D9767FBA0BB69CB847AD71A07C3D314FF52CCBEF8D3EF2FE4065C99
                                                        SHA-512:AB24BB38E3DB80CBD67B4974CAF51DCD47B527876330F281530E2ADC7BC38B0AC5DDAC30BD392CB2131C23FD2B544C87FE17B3E064F2FEF7A9F13375FEC965B0
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFAC7EF0C4832B8CA6.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):73728
                                                        Entropy (8bit):0.14592041754909116
                                                        Encrypted:false
                                                        SSDEEP:24:FWxZGktHPTxkrMvxipVkrMvvkrMvPAEVkryjCyH1ipVkrMvIV2BwGNZMU80zO+fO:FWPGWTeySCTAAECiCyVSCvo5MUXiDQl
                                                        MD5:9B40648F4B2FB6866233D5CB90F2BE7E
                                                        SHA1:2565F31696B4B2294EBE1F3EF52FF7E74DA6E25F
                                                        SHA-256:25746BBFACE2008BDD2E2A44AACF6C1A913216FC80C1AC2C91BFC21054CD7267
                                                        SHA-512:3E710EDAF02A5BBC211C2F7483394E55E59DDB225304D25545F77E51DCFAC7854225D1CEA0B8C218F03A53B8DAA41EB5B213DEFDA697D308630668220D8EEDF1
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFB56688848133FF17.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):1.2701501534705892
                                                        Encrypted:false
                                                        SSDEEP:48:a0PupO+CFXJLT5EVRYQ2BAAECiCyVSCvo5MUX2ySCOTnWPG:3PBzTuVwZECe0XjqW
                                                        MD5:53F3B707DB48965AF04D7B168CEA78DA
                                                        SHA1:3E390404142AEB42049F008DD5E8F0CB84E6A9DE
                                                        SHA-256:EA6E1BB1196ED4ED7903F21B3495592C8184A65143634BE6F5EBEF53E12FA2F1
                                                        SHA-512:0683F7D00E60ABF52900A421BFAB14E9435E8DE18A6626C09DE7886EDADD8672CE8EA1FE90DD0ED863F68A9073CEA16808EC39C0887332B0F100B89FF33F23C6
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFC930E0A4BDED8DD2.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):0.07195135795642803
                                                        Encrypted:false
                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOWbMYGRmG/OEbgVky6lit/:2F0i8n0itFzDHFwGmEvit/
                                                        MD5:61492EF924BF987A48309A27DCE2BE68
                                                        SHA1:E4CBDBB85A42B427737687CA6DC2941559B14B1C
                                                        SHA-256:3D7B6FA929D3CEC8992023BA257836F50E8988729AE91135B7CBE7A6875C9A47
                                                        SHA-512:FF40672D77BD2F7422B0C0EBBC6A8F4F90F021F9705A1AC9104DFE95C1EB0D7075FB37CD089780285453E900FD66ACDD46EB5748E14E0753C392242028D9E708
                                                        Malicious:false
                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFD7CFF1F80C7BB258.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):512
                                                        Entropy (8bit):0.0
                                                        Encrypted:false
                                                        SSDEEP:3::
                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                        Malicious:false
                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFEAEDB5ECCE442BF3.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):1.2701501534705892
                                                        Encrypted:false
                                                        SSDEEP:48:a0PupO+CFXJLT5EVRYQ2BAAECiCyVSCvo5MUX2ySCOTnWPG:3PBzTuVwZECe0XjqW
                                                        MD5:53F3B707DB48965AF04D7B168CEA78DA
                                                        SHA1:3E390404142AEB42049F008DD5E8F0CB84E6A9DE
                                                        SHA-256:EA6E1BB1196ED4ED7903F21B3495592C8184A65143634BE6F5EBEF53E12FA2F1
                                                        SHA-512:0683F7D00E60ABF52900A421BFAB14E9435E8DE18A6626C09DE7886EDADD8672CE8EA1FE90DD0ED863F68A9073CEA16808EC39C0887332B0F100B89FF33F23C6
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        C:\Windows\Temp\~DFFF6248795B5139C0.TMP

                                                        Download File
                                                        Process:C:\Windows\System32\msiexec.exe
                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                        Category:dropped
                                                        Size (bytes):32768
                                                        Entropy (8bit):1.2701501534705892
                                                        Encrypted:false
                                                        SSDEEP:48:a0PupO+CFXJLT5EVRYQ2BAAECiCyVSCvo5MUX2ySCOTnWPG:3PBzTuVwZECe0XjqW
                                                        MD5:53F3B707DB48965AF04D7B168CEA78DA
                                                        SHA1:3E390404142AEB42049F008DD5E8F0CB84E6A9DE
                                                        SHA-256:EA6E1BB1196ED4ED7903F21B3495592C8184A65143634BE6F5EBEF53E12FA2F1
                                                        SHA-512:0683F7D00E60ABF52900A421BFAB14E9435E8DE18A6626C09DE7886EDADD8672CE8EA1FE90DD0ED863F68A9073CEA16808EC39C0887332B0F100B89FF33F23C6
                                                        Malicious:false
                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                        \Device\ConDrv

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):638
                                                        Entropy (8bit):4.751962275036146
                                                        Encrypted:false
                                                        SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                        MD5:15CA959638E74EEC47E0830B90D0696E
                                                        SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                        SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                        SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                        Malicious:false
                                                        Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                        Static File Info

                                                        General

                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {E9CB290E-752A-4229-A41F-83542B67B9E5}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 20 14:33:58 2024, Last Saved Time/Date: Fri Dec 20 14:33:58 2024, Last Printed: Fri Dec 20 14:33:58 2024, Number of Pages: 450
                                                        Entropy (8bit):7.202552595393978
                                                        TrID:
                                                        • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                        • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                        File name:q9bzWO2X1r.msi
                                                        File size:60'337'152 bytes
                                                        MD5:43a80979e479ca95d6438d5b01554eff
                                                        SHA1:ce76f966151ca4e1693c2b0a8de999a792299f70
                                                        SHA256:8f04aa009c4431c6f5f7d7e9081862404b78bc4da0b59944706d0acc86dcfec0
                                                        SHA512:ebaa90b74833b57138aac8b87d22ceca771106e635a29373cd60ca297491c45555b7278396e2766706509d3595e54b84273126b89f6cd15e19c523204fda2506
                                                        SSDEEP:786432:wWZbjVmrjV7eIAtehOTZioZ4sdUuzt/NCaY2ksC:wWdVmrjV7eIvhOTZvRjVCa1t
                                                        TLSH:66D76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                        File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                        File Icon

                                                        Icon Hash:2d2e3797b32b2b99

                                                        Network Behavior

                                                        Suricata IDS Alerts

                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                        2024-12-20T22:18:23.137302+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449731172.67.164.25443TCP

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 20, 2024 22:18:21.817070961 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:21.817190886 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:21.817307949 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:21.821305037 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:21.821346998 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.078785896 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.078948975 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.132164955 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.132245064 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.133225918 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.133311987 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.137063026 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.137185097 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.137238979 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.832868099 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.832992077 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.833074093 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.833110094 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.833137035 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.833168030 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.893501997 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.893563032 CET44349731172.67.164.25192.168.2.4
                                                        Dec 20, 2024 22:18:23.893589973 CET49731443192.168.2.4172.67.164.25
                                                        Dec 20, 2024 22:18:23.893647909 CET49731443192.168.2.4172.67.164.25

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 20, 2024 22:18:21.541312933 CET5050653192.168.2.41.1.1.1
                                                        Dec 20, 2024 22:18:21.811440945 CET53505061.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 20, 2024 22:18:21.541312933 CET192.168.2.41.1.1.10xb024Standard query (0)cubermo.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 20, 2024 22:18:21.811440945 CET1.1.1.1192.168.2.40xb024No error (0)cubermo.com172.67.164.25A (IP address)IN (0x0001)false
                                                        Dec 20, 2024 22:18:21.811440945 CET1.1.1.1192.168.2.40xb024No error (0)cubermo.com104.21.65.145A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • cubermo.com

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449731172.67.164.254437560C:\Windows\SysWOW64\msiexec.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-20 21:18:23 UTC189OUTPOST /updater.php HTTP/1.1
                                                        Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                        User-Agent: AdvancedInstaller
                                                        Host: cubermo.com
                                                        Content-Length: 71
                                                        Cache-Control: no-cache
                                                        2024-12-20 21:18:23 UTC71OUTData Raw: 44 61 74 65 3d 32 30 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 36 25 33 41 31 38 25 33 41 32 30 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                        Data Ascii: Date=20%2F12%2F2024&Time=16%3A18%3A20&BuildVersion=8.9.9&SoroqVins=True
                                                        2024-12-20 21:18:23 UTC827INHTTP/1.1 500 Internal Server Error
                                                        Date: Fri, 20 Dec 2024 21:18:23 GMT
                                                        Content-Type: text/html; charset=UTF-8
                                                        Transfer-Encoding: chunked
                                                        Connection: close
                                                        Cache-Control: no-store
                                                        cf-cache-status: DYNAMIC
                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UcHHOMrQPVPrDEhiUmH2OjCz9Kl9rdPPB4Buld51j6JPilWIrePm0MERRf7mwn%2BDARSfK0JO9aqqBUaa5OSqKWU3uE186Xq6jLwWdtcxQR%2FCfsDhxLVaMRFMieP5og%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                        Server: cloudflare
                                                        CF-RAY: 8f52aa23e8258c75-EWR
                                                        alt-svc: h3=":443"; ma=86400
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2142&min_rtt=2075&rtt_var=826&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2827&recv_bytes=920&delivery_rate=1407228&cwnd=195&unsent_bytes=0&cid=a4e6ea463141b62e&ts=777&x=0"
                                                        2024-12-20 21:18:23 UTC5INData Raw: 30 0d 0a 0d 0a
                                                        Data Ascii: 0


                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:16:18:09
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\System32\msiexec.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\q9bzWO2X1r.msi"
                                                        Imagebase:0x7ff7a8710000
                                                        File size:69'632 bytes
                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:16:18:09
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\System32\msiexec.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                        Imagebase:0x7ff7a8710000
                                                        File size:69'632 bytes
                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:2
                                                        Start time:16:18:12
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 9E6B792D165F3699370CC83EA33AEF40
                                                        Imagebase:0xd30000
                                                        File size:59'904 bytes
                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:16:18:23
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pss3245.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msi3232.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scr3233.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scr3234.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                        Imagebase:0x930000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:16:18:23
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:16:18:29
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\System32\cmd.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
                                                        Imagebase:0x7ff635490000
                                                        File size:289'792 bytes
                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:16:18:29
                                                        Start date:20/12/2024
                                                        Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
                                                        Imagebase:0x7ff6429d0000
                                                        File size:57'488 bytes
                                                        MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:16:18:29
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:16:18:29
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:16:18:30
                                                        Start date:20/12/2024
                                                        Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
                                                        Imagebase:0x140000000
                                                        File size:117'496 bytes
                                                        MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 0%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:16:18:30
                                                        Start date:20/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        Disassembly

                                                        Reset < >

                                                          Executed Functions

                                                          Function 07D01B50 Relevance: 3.9, Strings: 3, Instructions: 164COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1860008395.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $kq$$kq$$kq
                                                          • API String ID: 0-2086306503
                                                          • Opcode ID: de8436d0b28088eb23ac7cfcc26c594d3b93d1f4cf4b2b25e96d64cc24035012
                                                          • Instruction ID: 624992e1a010482d23c051a5bd329c235bf6089cc4daa578009ea9e41e1993c3
                                                          • Opcode Fuzzy Hash: de8436d0b28088eb23ac7cfcc26c594d3b93d1f4cf4b2b25e96d64cc24035012
                                                          • Instruction Fuzzy Hash: 1E51D0B070420E9FCB249E69D94076EFBE6AF85310F14946AE445CB2D2DB36C985CBE1
                                                          Function 07D01B4A Relevance: 2.6, Strings: 2, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1860008395.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $kq$$kq
                                                          • API String ID: 0-3550614674
                                                          • Opcode ID: 0e1f71c147e3fefd96f9ba2ec24bccfa13a198bedecc5b5394c1bb6458943a3c
                                                          • Instruction ID: a292755ee399daf311baeb7fea3401ff9ce1a33038d35408f5679fcb4e291bd6
                                                          • Opcode Fuzzy Hash: 0e1f71c147e3fefd96f9ba2ec24bccfa13a198bedecc5b5394c1bb6458943a3c
                                                          • Instruction Fuzzy Hash: 94317CB060020EDFCB24CE55C540BAEFBB5EB82315F18A06AD4058B2D1E737D985CBD5
                                                          Function 035F8460 Relevance: .3, Instructions: 266COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 121295db5097f623ecf3d85503846718244eceaf82b533972ed88076d15ee0c1
                                                          • Instruction ID: 569884c21b5fd32464c0169047c2853bbe6d13ad73560903a7f1a5f677ddac25
                                                          • Opcode Fuzzy Hash: 121295db5097f623ecf3d85503846718244eceaf82b533972ed88076d15ee0c1
                                                          • Instruction Fuzzy Hash: 63A19F35A002189FDB14DFA4E984AADBBB3FF84310F158559E506AF369DB34ED49CB80
                                                          Function 035F8D1E Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24f42563d383d0c7b07b0c3ed2604634d84f9233b6d2c033710a22c5403dc195
                                                          • Instruction ID: 364017fb2679181bf311ecb6862d34543ff5f7c508ed77b5d6cd499ee4905504
                                                          • Opcode Fuzzy Hash: 24f42563d383d0c7b07b0c3ed2604634d84f9233b6d2c033710a22c5403dc195
                                                          • Instruction Fuzzy Hash: 00716A70A00208DFDB14DFA5D894AADBBF6BF88344F188469D512AB3A4DF34AC46CB51
                                                          Function 035F8954 Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 190acdd3b532354bde6c975163617778c42d79e9de9bb71661113309d90988e1
                                                          • Instruction ID: 2146e7bae87feb22053b9d22420e519d7103228ad867c2ad2ec1dffce50fc290
                                                          • Opcode Fuzzy Hash: 190acdd3b532354bde6c975163617778c42d79e9de9bb71661113309d90988e1
                                                          • Instruction Fuzzy Hash: 4F415B716002048FDB18EF69D559AAEBBB7FF88750F084468E506EB3B4CB349C46CB50
                                                          Function 035F3D08 Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9380f71f1561e4ce725128d1789e7e4e901bbe06d85e8417e295027b735cbb9a
                                                          • Instruction ID: 753c2a01272eea7472079c3a969e6a720b47152b238292e59902da6b8c75c8d4
                                                          • Opcode Fuzzy Hash: 9380f71f1561e4ce725128d1789e7e4e901bbe06d85e8417e295027b735cbb9a
                                                          • Instruction Fuzzy Hash: 5A4124B4A001058FDB05CF99D594AAAFBB1FF48314B2582A9D615AB364C736FC50CBA0
                                                          Function 035F8BF6 Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9fd7aaeee95411f0c82eb0b4524d5b568745d3354fcc995e6618a07a72a93ed8
                                                          • Instruction ID: 94f706f66f30e25b3af693bb478428194247a13386c10e84dfd89d382e3a45bf
                                                          • Opcode Fuzzy Hash: 9fd7aaeee95411f0c82eb0b4524d5b568745d3354fcc995e6618a07a72a93ed8
                                                          • Instruction Fuzzy Hash: 09418D70A04649CFDB14DFA9D884B9DFBF2FF84304F148469D416AB7A4DB70A845CB40
                                                          Function 035F3A78 Relevance: .1, Instructions: 93COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3c44e8cf83c7c2e973a5a8db754c06c899122efb68e872d30bf74dae95e47fc2
                                                          • Instruction ID: 0abc043cdbfe8e5b00d8736cc736f8f41d44cd625eec4518feff0215a05fd6d8
                                                          • Opcode Fuzzy Hash: 3c44e8cf83c7c2e973a5a8db754c06c899122efb68e872d30bf74dae95e47fc2
                                                          • Instruction Fuzzy Hash: 05317E387096408F9364DE69A060466BFF2FB8B2403058D6ED1CACF765DA31FD448756
                                                          Function 0343D006 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1848717963.000000000343D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0343D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_343d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ccf97ab1c52df2266872b96d10108990fd33e4700124f01d3b5a79d613c875a
                                                          • Instruction ID: aacfe0b5da3fd784344adc8e50d75f75a6209b4ba6a49cda707bc5c9b6dcadb5
                                                          • Opcode Fuzzy Hash: 5ccf97ab1c52df2266872b96d10108990fd33e4700124f01d3b5a79d613c875a
                                                          • Instruction Fuzzy Hash: 3301407240E3C09ED7128B25C894B52BFB4EF47624F1D81DBD8888F2A3C2699849C772
                                                          Function 0343D01D Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1848717963.000000000343D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0343D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_343d000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 599cebd4010a1f9ddbe7fb74bf3985eaec9638d941a0a013b3bab0f97fd29d4a
                                                          • Instruction ID: 6e84badd442cf1ae401864500e4c1b6d31dbe1843a8428e47e587b4a3cc1bce0
                                                          • Opcode Fuzzy Hash: 599cebd4010a1f9ddbe7fb74bf3985eaec9638d941a0a013b3bab0f97fd29d4a
                                                          • Instruction Fuzzy Hash: 9A01F7318093009AE710CA25CD847A7FFA8DF4B728F1CC46BEC581F246C279D842C6B5
                                                          Function 035F8941 Relevance: .0, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72f23849a31411875ae629d1e9fef4ec8499e4aade7d23ccb8ad7349d182e8f6
                                                          • Instruction ID: 883776db2c8ebb097bc7dfc05a6274053ebb66529a99b94dd18ca35aa81c1cc0
                                                          • Opcode Fuzzy Hash: 72f23849a31411875ae629d1e9fef4ec8499e4aade7d23ccb8ad7349d182e8f6
                                                          • Instruction Fuzzy Hash: 34F0F0356483868FDB02DBB8C960B5E7FB2AF02340F144896D141CF2BACB789D48CB81
                                                          Function 035F88D5 Relevance: .0, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1850570159.00000000035F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 035F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_35f0000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5dd2ab5fe0c1c5899a4c65e2592de3d098a425c913aea64bc1fdd65f66055877
                                                          • Instruction ID: aab574195bbaca0db98dbc52ba810588d8fb93172fd25e19e4f6baffa63c1efa
                                                          • Opcode Fuzzy Hash: 5dd2ab5fe0c1c5899a4c65e2592de3d098a425c913aea64bc1fdd65f66055877
                                                          • Instruction Fuzzy Hash: 19F03074B8030A9FDB04DFA4D6A5B6E7BB2EF45740F104914E2029F369CB789D888BC0

                                                          Non-executed Functions

                                                          Function 07D01658 Relevance: 15.3, Strings: 12, Instructions: 260COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1860008395.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 84fk$84fk$tPkq$tPkq$tPkq$tPkq$$kq$$kq$$kq$$kq$^k$^k
                                                          • API String ID: 0-1708710885
                                                          • Opcode ID: f9f958c76603d32c73b61be718f7b000b9a8da4506f083e77a661ff14db54474
                                                          • Instruction ID: c9f08dcc01826ad6b3e571e4897286f0970d4e70343becb95f55a4b9c6a05a29
                                                          • Opcode Fuzzy Hash: f9f958c76603d32c73b61be718f7b000b9a8da4506f083e77a661ff14db54474
                                                          • Instruction Fuzzy Hash: 658148B57043599FD7219B69980076AFBF2AFC6310F2880ABD585CB2D2CA32DD44C7E1
                                                          Function 07D00898 Relevance: 10.2, Strings: 8, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1860008395.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'kq$4'kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                          • API String ID: 0-3137036682
                                                          • Opcode ID: 87b436731be6242463253a975ace02668e6e7a08e250e5dd8b82807bc7c9681a
                                                          • Instruction ID: e6b52e602d56bea1960b11b58d8409cd201df3a2a3cecb9b92a11e39b1bdb74f
                                                          • Opcode Fuzzy Hash: 87b436731be6242463253a975ace02668e6e7a08e250e5dd8b82807bc7c9681a
                                                          • Instruction Fuzzy Hash: 8A5147B5704346AFDB249A69A80076BFBB6EFC5220F28907FD445C72D1DA36C845C7E1
                                                          Function 07D00E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1860008395.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4ek$4ek$$kq$$kq$$kq
                                                          • API String ID: 0-4071047894
                                                          • Opcode ID: 864f8025120e85a899abfd249483a6e7590de54e32460aca067240b0024acaa0
                                                          • Instruction ID: bc9036d7917438d7c998403f16dee25e5d7c0b1444c6e679a7a76b35753b5a67
                                                          • Opcode Fuzzy Hash: 864f8025120e85a899abfd249483a6e7590de54e32460aca067240b0024acaa0
                                                          • Instruction Fuzzy Hash: B71127F1320206AFDA389929A81077BEBDA9FC1210B14943BD546D73D2EE3AD841D3F1
                                                          Function 07D004D1 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000003.00000002.1860008395.0000000007D00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07D00000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_3_2_7d00000_powershell.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 4'kq$4'kq$$kq$$kq
                                                          • API String ID: 0-1727931526
                                                          • Opcode ID: f5de12a9e5a63fca9ab4b1927928189a75c65a8522a04a2edb0ccce4dc579340
                                                          • Instruction ID: 4f539626dd437d29d3d4df013ba4dde1f7001ddd5a802e935b93ea98caa2e3ba
                                                          • Opcode Fuzzy Hash: f5de12a9e5a63fca9ab4b1927928189a75c65a8522a04a2edb0ccce4dc579340
                                                          • Instruction Fuzzy Hash: 0B0126A13492851FC73A52281C207A6AFF75FC2510B3A00ABC081CF3D7CD2D8C0683E6

                                                          Execution Graph

                                                          Execution Coverage:3.4%
                                                          Dynamic/Decrypted Code Coverage:0%
                                                          Signature Coverage:1.7%
                                                          Total number of Nodes:701
                                                          Total number of Limit Nodes:1
                                                          execution_graph 2939 7ff6429d4024 2946 7ff6429d642c 2939->2946 2942 7ff6429d4031 2958 7ff6429d6714 2946->2958 2949 7ff6429d6460 __vcrt_uninitialize_locks DeleteCriticalSection 2950 7ff6429d402d 2949->2950 2950->2942 2951 7ff6429d44ac 2950->2951 2963 7ff6429d65e8 2951->2963 2959 7ff6429d6498 __vcrt_FlsAlloc 5 API calls 2958->2959 2960 7ff6429d674a 2959->2960 2961 7ff6429d6444 2960->2961 2962 7ff6429d675f InitializeCriticalSectionAndSpinCount 2960->2962 2961->2949 2961->2950 2962->2961 2964 7ff6429d6498 __vcrt_FlsAlloc 5 API calls 2963->2964 2965 7ff6429d660d TlsAlloc 2964->2965 2489 7ff6429d195f 2490 7ff6429d196d 2489->2490 2490->2490 2491 7ff6429d1a23 2490->2491 2505 7ff6429d1ee0 2490->2505 2494 7ff6429d1a67 BuildCatchObjectHelperInternal 2491->2494 2519 7ff6429d2230 2491->2519 2495 7ff6429d18a0 2494->2495 2496 7ff6429d1da2 _invalid_parameter_noinfo_noreturn 2494->2496 2499 7ff6429d1dd0 2495->2499 2502 7ff6429d20c0 21 API calls 2495->2502 2504 7ff6429d1d76 2495->2504 2497 7ff6429d1da9 WSAGetLastError 2496->2497 2498 7ff6429d1450 6 API calls 2497->2498 2498->2504 2501 7ff6429d1450 6 API calls 2499->2501 2500 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2503 7ff6429d1d87 2500->2503 2501->2504 2502->2495 2504->2500 2509 7ff6429d1f25 2505->2509 2518 7ff6429d1f04 BuildCatchObjectHelperInternal 2505->2518 2506 7ff6429d2031 2507 7ff6429d17e0 21 API calls 2506->2507 2508 7ff6429d2036 2507->2508 2513 7ff6429d1720 Concurrency::cancel_current_task 4 API calls 2508->2513 2509->2506 2511 7ff6429d1f74 2509->2511 2512 7ff6429d1fa9 2509->2512 2510 7ff6429d2690 5 API calls 2517 7ff6429d1f92 BuildCatchObjectHelperInternal 2510->2517 2511->2508 2511->2510 2515 7ff6429d2690 5 API calls 2512->2515 2512->2517 2516 7ff6429d203c 2513->2516 2514 7ff6429d202a _invalid_parameter_noinfo_noreturn 2514->2506 2515->2517 2517->2514 2517->2518 2518->2491 2520 7ff6429d225e 2519->2520 2521 7ff6429d23ab 2519->2521 2522 7ff6429d22be 2520->2522 2525 7ff6429d22b1 2520->2525 2528 7ff6429d22e6 2520->2528 2523 7ff6429d17e0 21 API calls 2521->2523 2526 7ff6429d2690 5 API calls 2522->2526 2524 7ff6429d23b0 2523->2524 2527 7ff6429d1720 Concurrency::cancel_current_task 4 API calls 2524->2527 2525->2522 2525->2524 2532 7ff6429d22cf BuildCatchObjectHelperInternal 2526->2532 2529 7ff6429d23b6 2527->2529 2531 7ff6429d2690 5 API calls 2528->2531 2528->2532 2530 7ff6429d2364 _invalid_parameter_noinfo_noreturn 2533 7ff6429d2357 BuildCatchObjectHelperInternal 2530->2533 2531->2532 2532->2530 2532->2533 2533->2494 2534 7ff6429d15e0 2537 7ff6429d3d50 2534->2537 2536 7ff6429d1607 2538 7ff6429d3d5f free 2537->2538 2539 7ff6429d3d67 2537->2539 2538->2539 2539->2536 2540 7ff6429d1ce0 2541 7ff6429d2688 5 API calls 2540->2541 2542 7ff6429d1cea gethostname 2541->2542 2543 7ff6429d1d08 2542->2543 2544 7ff6429d1da9 WSAGetLastError 2542->2544 2554 7ff6429d2040 2543->2554 2545 7ff6429d1450 6 API calls 2544->2545 2546 7ff6429d1d76 2545->2546 2549 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2546->2549 2548 7ff6429d18a0 2548->2546 2551 7ff6429d1dd0 2548->2551 2553 7ff6429d20c0 21 API calls 2548->2553 2550 7ff6429d1d87 2549->2550 2552 7ff6429d1450 6 API calls 2551->2552 2552->2546 2553->2548 2555 7ff6429d20a2 2554->2555 2556 7ff6429d2063 BuildCatchObjectHelperInternal 2554->2556 2557 7ff6429d2230 22 API calls 2555->2557 2556->2548 2558 7ff6429d20b5 2557->2558 2558->2548 2559 7ff6429d5860 2588 7ff6429d43d0 2559->2588 2561 7ff6429d58ad 2562 7ff6429d43d0 _CreateFrameInfo 10 API calls 2561->2562 2563 7ff6429d58bb __except_validate_context_record 2562->2563 2564 7ff6429d43d0 _CreateFrameInfo 10 API calls 2563->2564 2565 7ff6429d5914 2564->2565 2566 7ff6429d43d0 _CreateFrameInfo 10 API calls 2565->2566 2567 7ff6429d591d 2566->2567 2568 7ff6429d43d0 _CreateFrameInfo 10 API calls 2567->2568 2569 7ff6429d5926 2568->2569 2591 7ff6429d3b18 2569->2591 2572 7ff6429d43d0 _CreateFrameInfo 10 API calls 2573 7ff6429d5959 2572->2573 2574 7ff6429d5aa9 abort 2573->2574 2575 7ff6429d5991 2573->2575 2598 7ff6429d3b54 2575->2598 2577 7ff6429d5a5a __GSHandlerCheck_EH 2578 7ff6429d43d0 _CreateFrameInfo 10 API calls 2577->2578 2579 7ff6429d5a6d 2578->2579 2581 7ff6429d43d0 _CreateFrameInfo 10 API calls 2579->2581 2583 7ff6429d5a76 2581->2583 2584 7ff6429d43d0 _CreateFrameInfo 10 API calls 2583->2584 2585 7ff6429d5a7f 2584->2585 2586 7ff6429d43d0 _CreateFrameInfo 10 API calls 2585->2586 2587 7ff6429d5a8e 2586->2587 2610 7ff6429d43ec 2588->2610 2590 7ff6429d43d9 2590->2561 2592 7ff6429d43d0 _CreateFrameInfo 10 API calls 2591->2592 2593 7ff6429d3b29 2592->2593 2594 7ff6429d3b34 2593->2594 2595 7ff6429d43d0 _CreateFrameInfo 10 API calls 2593->2595 2596 7ff6429d43d0 _CreateFrameInfo 10 API calls 2594->2596 2595->2594 2597 7ff6429d3b45 2596->2597 2597->2572 2597->2573 2599 7ff6429d43d0 _CreateFrameInfo 10 API calls 2598->2599 2600 7ff6429d3b66 2599->2600 2601 7ff6429d3ba1 abort 2600->2601 2602 7ff6429d43d0 _CreateFrameInfo 10 API calls 2600->2602 2603 7ff6429d3b71 2602->2603 2603->2601 2604 7ff6429d3b8d 2603->2604 2605 7ff6429d43d0 _CreateFrameInfo 10 API calls 2604->2605 2606 7ff6429d3b92 2605->2606 2606->2577 2607 7ff6429d4104 2606->2607 2608 7ff6429d43d0 _CreateFrameInfo 10 API calls 2607->2608 2609 7ff6429d4112 2608->2609 2609->2577 2611 7ff6429d4404 2610->2611 2612 7ff6429d440b GetLastError 2610->2612 2611->2590 2624 7ff6429d6678 2612->2624 2625 7ff6429d6498 __vcrt_FlsAlloc 5 API calls 2624->2625 2626 7ff6429d669f TlsGetValue 2625->2626 2628 7ff6429d7260 2629 7ff6429d7273 2628->2629 2630 7ff6429d7280 2628->2630 2632 7ff6429d1e80 2629->2632 2633 7ff6429d1e93 2632->2633 2635 7ff6429d1eb7 2632->2635 2634 7ff6429d1ed8 _invalid_parameter_noinfo_noreturn 2633->2634 2633->2635 2635->2630 2970 7ff6429d191a 2971 7ff6429d194d 2970->2971 2973 7ff6429d18a0 2970->2973 2972 7ff6429d20c0 21 API calls 2971->2972 2972->2973 2974 7ff6429d1d76 2973->2974 2975 7ff6429d1dd0 2973->2975 2978 7ff6429d20c0 21 API calls 2973->2978 2976 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2974->2976 2977 7ff6429d1450 6 API calls 2975->2977 2979 7ff6429d1d87 2976->2979 2977->2974 2978->2973 2980 7ff6429d291a 2981 7ff6429d3020 __scrt_is_managed_app GetModuleHandleW 2980->2981 2982 7ff6429d2921 2981->2982 2983 7ff6429d2925 2982->2983 2984 7ff6429d2960 _exit 2982->2984 2636 7ff6429d74d6 2637 7ff6429d3b54 11 API calls 2636->2637 2640 7ff6429d74e9 2637->2640 2638 7ff6429d43d0 _CreateFrameInfo 10 API calls 2639 7ff6429d752e 2638->2639 2641 7ff6429d43d0 _CreateFrameInfo 10 API calls 2639->2641 2643 7ff6429d4104 10 API calls 2640->2643 2644 7ff6429d751a __GSHandlerCheck_EH 2640->2644 2642 7ff6429d753b 2641->2642 2645 7ff6429d43d0 _CreateFrameInfo 10 API calls 2642->2645 2643->2644 2644->2638 2646 7ff6429d7548 2645->2646 2985 7ff6429d1b18 _time64 2986 7ff6429d1b34 2985->2986 2987 7ff6429d1bf1 2986->2987 2988 7ff6429d1ee0 22 API calls 2986->2988 2989 7ff6429d2230 22 API calls 2987->2989 2990 7ff6429d1c34 BuildCatchObjectHelperInternal 2987->2990 2988->2987 2989->2990 2991 7ff6429d1da2 _invalid_parameter_noinfo_noreturn 2990->2991 2992 7ff6429d18a0 2990->2992 2993 7ff6429d1da9 WSAGetLastError 2991->2993 2995 7ff6429d1dd0 2992->2995 2996 7ff6429d1d76 2992->2996 2999 7ff6429d20c0 21 API calls 2992->2999 2994 7ff6429d1450 6 API calls 2993->2994 2994->2996 2998 7ff6429d1450 6 API calls 2995->2998 2997 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2996->2997 3000 7ff6429d1d87 2997->3000 2998->2996 2999->2992 2647 7ff6429d7559 2650 7ff6429d4158 2647->2650 2651 7ff6429d4182 2650->2651 2652 7ff6429d4170 2650->2652 2654 7ff6429d43d0 _CreateFrameInfo 10 API calls 2651->2654 2652->2651 2653 7ff6429d4178 2652->2653 2656 7ff6429d43d0 _CreateFrameInfo 10 API calls 2653->2656 2660 7ff6429d4180 2653->2660 2655 7ff6429d4187 2654->2655 2657 7ff6429d43d0 _CreateFrameInfo 10 API calls 2655->2657 2655->2660 2658 7ff6429d41a7 2656->2658 2657->2660 2659 7ff6429d43d0 _CreateFrameInfo 10 API calls 2658->2659 2661 7ff6429d41b4 terminate 2659->2661 2662 7ff6429d7372 2663 7ff6429d43d0 _CreateFrameInfo 10 API calls 2662->2663 2664 7ff6429d7389 2663->2664 2665 7ff6429d43d0 _CreateFrameInfo 10 API calls 2664->2665 2666 7ff6429d73a4 2665->2666 2667 7ff6429d43d0 _CreateFrameInfo 10 API calls 2666->2667 2668 7ff6429d73ad 2667->2668 2673 7ff6429d5414 2668->2673 2671 7ff6429d43d0 _CreateFrameInfo 10 API calls 2672 7ff6429d73f8 2671->2672 2674 7ff6429d5443 __except_validate_context_record 2673->2674 2675 7ff6429d43d0 _CreateFrameInfo 10 API calls 2674->2675 2676 7ff6429d5448 2675->2676 2677 7ff6429d5498 2676->2677 2683 7ff6429d55b2 __GSHandlerCheck_EH 2676->2683 2688 7ff6429d5551 2676->2688 2678 7ff6429d559f 2677->2678 2686 7ff6429d54f3 __GSHandlerCheck_EH 2677->2686 2677->2688 2713 7ff6429d3678 2678->2713 2679 7ff6429d55f7 2679->2688 2720 7ff6429d49a4 2679->2720 2682 7ff6429d56a2 abort 2683->2679 2683->2688 2717 7ff6429d3bbc 2683->2717 2684 7ff6429d5543 2689 7ff6429d5cf0 2684->2689 2686->2682 2686->2684 2688->2671 2773 7ff6429d3ba8 2689->2773 2691 7ff6429d5d40 __GSHandlerCheck_EH 2692 7ff6429d5d72 2691->2692 2693 7ff6429d5d5b 2691->2693 2695 7ff6429d43d0 _CreateFrameInfo 10 API calls 2692->2695 2694 7ff6429d43d0 _CreateFrameInfo 10 API calls 2693->2694 2696 7ff6429d5d60 2694->2696 2698 7ff6429d5d77 2695->2698 2697 7ff6429d5d6a 2696->2697 2699 7ff6429d5fd0 abort 2696->2699 2701 7ff6429d43d0 _CreateFrameInfo 10 API calls 2697->2701 2698->2697 2700 7ff6429d43d0 _CreateFrameInfo 10 API calls 2698->2700 2702 7ff6429d5d82 2700->2702 2711 7ff6429d5d96 __GSHandlerCheck_EH 2701->2711 2703 7ff6429d43d0 _CreateFrameInfo 10 API calls 2702->2703 2703->2697 2704 7ff6429d5f92 2705 7ff6429d43d0 _CreateFrameInfo 10 API calls 2704->2705 2706 7ff6429d5f97 2705->2706 2707 7ff6429d5fa2 2706->2707 2708 7ff6429d43d0 _CreateFrameInfo 10 API calls 2706->2708 2709 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2707->2709 2708->2707 2710 7ff6429d5fb5 2709->2710 2710->2688 2711->2704 2776 7ff6429d3bd0 2711->2776 2714 7ff6429d368a 2713->2714 2715 7ff6429d5cf0 __GSHandlerCheck_EH 19 API calls 2714->2715 2716 7ff6429d36a5 2715->2716 2716->2688 2718 7ff6429d43d0 _CreateFrameInfo 10 API calls 2717->2718 2719 7ff6429d3bc5 2718->2719 2719->2679 2721 7ff6429d4a01 __GSHandlerCheck_EH 2720->2721 2722 7ff6429d4a20 2721->2722 2723 7ff6429d4a09 2721->2723 2725 7ff6429d43d0 _CreateFrameInfo 10 API calls 2722->2725 2724 7ff6429d43d0 _CreateFrameInfo 10 API calls 2723->2724 2733 7ff6429d4a0e 2724->2733 2726 7ff6429d4a25 2725->2726 2728 7ff6429d43d0 _CreateFrameInfo 10 API calls 2726->2728 2726->2733 2727 7ff6429d4e99 abort 2729 7ff6429d4a30 2728->2729 2730 7ff6429d43d0 _CreateFrameInfo 10 API calls 2729->2730 2730->2733 2731 7ff6429d4b54 __GSHandlerCheck_EH 2732 7ff6429d4def 2731->2732 2767 7ff6429d4b90 __GSHandlerCheck_EH 2731->2767 2732->2727 2748 7ff6429d4ded 2732->2748 2815 7ff6429d4ea0 2732->2815 2733->2727 2733->2731 2734 7ff6429d43d0 _CreateFrameInfo 10 API calls 2733->2734 2738 7ff6429d4ac0 2734->2738 2735 7ff6429d43d0 _CreateFrameInfo 10 API calls 2737 7ff6429d4e30 2735->2737 2737->2727 2739 7ff6429d4e37 2737->2739 2738->2739 2740 7ff6429d43d0 _CreateFrameInfo 10 API calls 2738->2740 2741 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2739->2741 2742 7ff6429d4ad0 2740->2742 2743 7ff6429d4e43 2741->2743 2744 7ff6429d43d0 _CreateFrameInfo 10 API calls 2742->2744 2743->2688 2746 7ff6429d4ad9 2744->2746 2745 7ff6429d4dd4 __GSHandlerCheck_EH 2747 7ff6429d4e81 2745->2747 2745->2748 2779 7ff6429d3be8 2746->2779 2749 7ff6429d43d0 _CreateFrameInfo 10 API calls 2747->2749 2748->2735 2751 7ff6429d4e86 2749->2751 2753 7ff6429d43d0 _CreateFrameInfo 10 API calls 2751->2753 2754 7ff6429d4e8f terminate 2753->2754 2754->2727 2755 7ff6429d43d0 _CreateFrameInfo 10 API calls 2756 7ff6429d4b16 2755->2756 2756->2731 2757 7ff6429d43d0 _CreateFrameInfo 10 API calls 2756->2757 2758 7ff6429d4b22 2757->2758 2759 7ff6429d43d0 _CreateFrameInfo 10 API calls 2758->2759 2760 7ff6429d4b2b 2759->2760 2782 7ff6429d5fd8 2760->2782 2762 7ff6429d3bbc 10 API calls BuildCatchObjectHelperInternal 2762->2767 2764 7ff6429d4b3f 2789 7ff6429d60c8 2764->2789 2767->2745 2767->2762 2793 7ff6429d52d0 2767->2793 2807 7ff6429d48d0 2767->2807 2768 7ff6429d4e7b terminate 2768->2747 2770 7ff6429d4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2770->2768 2771 7ff6429d3f84 Concurrency::cancel_current_task 2 API calls 2770->2771 2772 7ff6429d4e7a 2771->2772 2772->2768 2774 7ff6429d43d0 _CreateFrameInfo 10 API calls 2773->2774 2775 7ff6429d3bb1 2774->2775 2775->2691 2777 7ff6429d43d0 _CreateFrameInfo 10 API calls 2776->2777 2778 7ff6429d3bde 2777->2778 2778->2711 2780 7ff6429d43d0 _CreateFrameInfo 10 API calls 2779->2780 2781 7ff6429d3bf6 2780->2781 2781->2727 2781->2755 2783 7ff6429d60bf abort 2782->2783 2786 7ff6429d6003 2782->2786 2784 7ff6429d4b3b 2784->2731 2784->2764 2785 7ff6429d3bbc 10 API calls BuildCatchObjectHelperInternal 2785->2786 2786->2784 2786->2785 2787 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2786->2787 2831 7ff6429d5190 2786->2831 2787->2786 2790 7ff6429d60e5 Is_bad_exception_allowed 2789->2790 2792 7ff6429d6135 2789->2792 2791 7ff6429d3ba8 10 API calls BuildCatchObjectHelperInternal 2790->2791 2790->2792 2791->2790 2792->2770 2794 7ff6429d538d 2793->2794 2795 7ff6429d52fd 2793->2795 2794->2767 2796 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2795->2796 2797 7ff6429d5306 2796->2797 2797->2794 2798 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2797->2798 2799 7ff6429d531f 2797->2799 2798->2799 2799->2794 2800 7ff6429d534c 2799->2800 2801 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2799->2801 2802 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2800->2802 2801->2800 2803 7ff6429d5360 2802->2803 2803->2794 2804 7ff6429d5379 2803->2804 2805 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2803->2805 2806 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2804->2806 2805->2804 2806->2794 2808 7ff6429d490d __GSHandlerCheck_EH 2807->2808 2809 7ff6429d4933 2808->2809 2845 7ff6429d480c 2808->2845 2811 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2809->2811 2812 7ff6429d4945 2811->2812 2854 7ff6429d3838 RtlUnwindEx 2812->2854 2816 7ff6429d4ef4 2815->2816 2817 7ff6429d5169 2815->2817 2819 7ff6429d43d0 _CreateFrameInfo 10 API calls 2816->2819 2818 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2817->2818 2820 7ff6429d5175 2818->2820 2821 7ff6429d4ef9 2819->2821 2820->2748 2822 7ff6429d4f0e EncodePointer 2821->2822 2823 7ff6429d4f60 __GSHandlerCheck_EH 2821->2823 2824 7ff6429d43d0 _CreateFrameInfo 10 API calls 2822->2824 2823->2817 2825 7ff6429d4f82 __GSHandlerCheck_EH 2823->2825 2826 7ff6429d5189 abort 2823->2826 2827 7ff6429d4f1e 2824->2827 2825->2817 2829 7ff6429d48d0 __GSHandlerCheck_EH 21 API calls 2825->2829 2830 7ff6429d3ba8 10 API calls BuildCatchObjectHelperInternal 2825->2830 2827->2823 2878 7ff6429d34f8 2827->2878 2829->2825 2830->2825 2832 7ff6429d524c 2831->2832 2833 7ff6429d51bd 2831->2833 2832->2786 2834 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2833->2834 2835 7ff6429d51c6 2834->2835 2835->2832 2836 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2835->2836 2837 7ff6429d51df 2835->2837 2836->2837 2837->2832 2838 7ff6429d520b 2837->2838 2839 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2837->2839 2840 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2838->2840 2839->2838 2841 7ff6429d521f 2840->2841 2841->2832 2842 7ff6429d5238 2841->2842 2843 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2841->2843 2844 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2842->2844 2843->2842 2844->2832 2846 7ff6429d482f 2845->2846 2857 7ff6429d4608 2846->2857 2848 7ff6429d4840 2849 7ff6429d4881 __AdjustPointer 2848->2849 2850 7ff6429d4845 __AdjustPointer 2848->2850 2851 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2849->2851 2852 7ff6429d4864 BuildCatchObjectHelperInternal 2849->2852 2850->2852 2853 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2850->2853 2851->2852 2852->2809 2853->2852 2855 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2854->2855 2856 7ff6429d394e 2855->2856 2856->2767 2858 7ff6429d4635 2857->2858 2860 7ff6429d463e 2857->2860 2859 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2858->2859 2859->2860 2861 7ff6429d3ba8 BuildCatchObjectHelperInternal 10 API calls 2860->2861 2862 7ff6429d465d 2860->2862 2869 7ff6429d46c2 __AdjustPointer BuildCatchObjectHelperInternal 2860->2869 2861->2862 2863 7ff6429d46aa 2862->2863 2864 7ff6429d46ca 2862->2864 2862->2869 2866 7ff6429d47e9 abort abort 2863->2866 2863->2869 2865 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2864->2865 2868 7ff6429d474a 2864->2868 2864->2869 2865->2868 2867 7ff6429d480c 2866->2867 2870 7ff6429d4608 BuildCatchObjectHelperInternal 10 API calls 2867->2870 2868->2869 2871 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2868->2871 2869->2848 2872 7ff6429d4840 2870->2872 2871->2869 2873 7ff6429d4881 __AdjustPointer 2872->2873 2874 7ff6429d4845 __AdjustPointer 2872->2874 2875 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2873->2875 2877 7ff6429d4864 BuildCatchObjectHelperInternal 2873->2877 2876 7ff6429d3bbc BuildCatchObjectHelperInternal 10 API calls 2874->2876 2874->2877 2875->2877 2876->2877 2877->2848 2879 7ff6429d43d0 _CreateFrameInfo 10 API calls 2878->2879 2880 7ff6429d3524 2879->2880 2880->2823 2881 7ff6429d5f75 2889 7ff6429d5e35 __GSHandlerCheck_EH 2881->2889 2882 7ff6429d5f92 2883 7ff6429d43d0 _CreateFrameInfo 10 API calls 2882->2883 2884 7ff6429d5f97 2883->2884 2885 7ff6429d5fa2 2884->2885 2886 7ff6429d43d0 _CreateFrameInfo 10 API calls 2884->2886 2887 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2885->2887 2886->2885 2888 7ff6429d5fb5 2887->2888 2889->2882 2890 7ff6429d3bd0 __GSHandlerCheck_EH 10 API calls 2889->2890 2890->2889 2891 7ff6429d756f 2892 7ff6429d43d0 _CreateFrameInfo 10 API calls 2891->2892 2893 7ff6429d757d 2892->2893 2894 7ff6429d43d0 _CreateFrameInfo 10 API calls 2893->2894 2895 7ff6429d7588 2893->2895 2894->2895 2896 7ff6429d2970 2899 7ff6429d2da0 2896->2899 2900 7ff6429d2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2899->2900 2901 7ff6429d2979 2899->2901 2900->2901 3004 7ff6429d43b0 3005 7ff6429d43ca 3004->3005 3006 7ff6429d43b9 3004->3006 3006->3005 3007 7ff6429d43c5 free 3006->3007 3007->3005 3008 7ff6429d7130 3009 7ff6429d7168 __GSHandlerCheckCommon 3008->3009 3010 7ff6429d7194 3009->3010 3012 7ff6429d3c00 3009->3012 3013 7ff6429d43d0 _CreateFrameInfo 10 API calls 3012->3013 3014 7ff6429d3c42 3013->3014 3015 7ff6429d43d0 _CreateFrameInfo 10 API calls 3014->3015 3016 7ff6429d3c4f 3015->3016 3017 7ff6429d43d0 _CreateFrameInfo 10 API calls 3016->3017 3018 7ff6429d3c58 __GSHandlerCheck_EH 3017->3018 3019 7ff6429d5414 __GSHandlerCheck_EH 31 API calls 3018->3019 3020 7ff6429d3ca9 3019->3020 3020->3010 2243 7ff6429d27ec 2266 7ff6429d2b8c 2243->2266 2246 7ff6429d2943 2306 7ff6429d2ecc IsProcessorFeaturePresent 2246->2306 2247 7ff6429d280d 2249 7ff6429d294d 2247->2249 2254 7ff6429d282b __scrt_release_startup_lock 2247->2254 2250 7ff6429d2ecc 7 API calls 2249->2250 2251 7ff6429d2958 2250->2251 2253 7ff6429d2960 _exit 2251->2253 2252 7ff6429d2850 2254->2252 2255 7ff6429d28d6 _get_initial_narrow_environment __p___argv __p___argc 2254->2255 2259 7ff6429d28ce _register_thread_local_exe_atexit_callback 2254->2259 2272 7ff6429d1060 2255->2272 2259->2255 2261 7ff6429d2903 2262 7ff6429d290d 2261->2262 2263 7ff6429d2908 _cexit 2261->2263 2302 7ff6429d2d20 2262->2302 2263->2262 2313 7ff6429d316c 2266->2313 2269 7ff6429d2805 2269->2246 2269->2247 2270 7ff6429d2bbb __scrt_initialize_crt 2270->2269 2315 7ff6429d404c 2270->2315 2273 7ff6429d1386 2272->2273 2294 7ff6429d10b4 2272->2294 2342 7ff6429d1450 __acrt_iob_func 2273->2342 2275 7ff6429d1399 2300 7ff6429d3020 GetModuleHandleW 2275->2300 2276 7ff6429d1289 2276->2273 2277 7ff6429d129f 2276->2277 2347 7ff6429d2688 2277->2347 2279 7ff6429d1125 strcmp 2279->2294 2280 7ff6429d12a9 2281 7ff6429d1325 2280->2281 2282 7ff6429d12b9 GetTempPathA 2280->2282 2356 7ff6429d23c0 2281->2356 2285 7ff6429d12cb GetLastError 2282->2285 2286 7ff6429d12e9 strcat_s 2282->2286 2283 7ff6429d1151 strcmp 2283->2294 2287 7ff6429d1450 6 API calls 2285->2287 2286->2281 2288 7ff6429d1304 2286->2288 2290 7ff6429d12df GetLastError 2287->2290 2291 7ff6429d1450 6 API calls 2288->2291 2296 7ff6429d1312 2290->2296 2291->2296 2292 7ff6429d1344 __acrt_iob_func fflush __acrt_iob_func fflush 2292->2296 2293 7ff6429d117d strcmp 2293->2294 2294->2276 2294->2279 2294->2283 2294->2293 2298 7ff6429d1226 strcmp 2294->2298 2296->2275 2298->2294 2299 7ff6429d1239 atoi 2298->2299 2299->2294 2301 7ff6429d28ff 2300->2301 2301->2251 2301->2261 2303 7ff6429d2d31 __scrt_initialize_crt 2302->2303 2304 7ff6429d2916 2303->2304 2305 7ff6429d404c __scrt_initialize_crt 7 API calls 2303->2305 2304->2252 2305->2304 2307 7ff6429d2ef2 2306->2307 2308 7ff6429d2f11 RtlCaptureContext RtlLookupFunctionEntry 2307->2308 2309 7ff6429d2f3a RtlVirtualUnwind 2308->2309 2310 7ff6429d2f76 2308->2310 2309->2310 2311 7ff6429d2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2310->2311 2312 7ff6429d2ffa 2311->2312 2312->2249 2314 7ff6429d2bae __scrt_dllmain_crt_thread_attach 2313->2314 2314->2269 2314->2270 2316 7ff6429d4054 2315->2316 2317 7ff6429d405e 2315->2317 2321 7ff6429d44f4 2316->2321 2317->2269 2322 7ff6429d4503 2321->2322 2323 7ff6429d4059 2321->2323 2329 7ff6429d6630 2322->2329 2325 7ff6429d6460 2323->2325 2326 7ff6429d648b 2325->2326 2327 7ff6429d646e DeleteCriticalSection 2326->2327 2328 7ff6429d648f 2326->2328 2327->2326 2328->2317 2333 7ff6429d6498 2329->2333 2334 7ff6429d64dc 2333->2334 2340 7ff6429d65b2 TlsFree 2333->2340 2335 7ff6429d650a LoadLibraryExW 2334->2335 2336 7ff6429d65a1 GetProcAddress 2334->2336 2334->2340 2341 7ff6429d654d LoadLibraryExW 2334->2341 2337 7ff6429d6581 2335->2337 2338 7ff6429d652b GetLastError 2335->2338 2336->2340 2337->2336 2339 7ff6429d6598 FreeLibrary 2337->2339 2338->2334 2339->2336 2341->2334 2341->2337 2392 7ff6429d1010 2342->2392 2344 7ff6429d148a __acrt_iob_func 2395 7ff6429d1000 2344->2395 2346 7ff6429d14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2346->2275 2350 7ff6429d2690 2347->2350 2348 7ff6429d26aa malloc 2349 7ff6429d26b4 2348->2349 2348->2350 2349->2280 2350->2348 2351 7ff6429d26ba 2350->2351 2352 7ff6429d26c5 2351->2352 2397 7ff6429d2b30 2351->2397 2401 7ff6429d1720 2352->2401 2355 7ff6429d26cb 2355->2280 2357 7ff6429d2688 5 API calls 2356->2357 2358 7ff6429d23f5 OpenProcess 2357->2358 2359 7ff6429d243b GetLastError 2358->2359 2360 7ff6429d2458 K32GetModuleBaseNameA 2358->2360 2361 7ff6429d1450 6 API calls 2359->2361 2362 7ff6429d2492 2360->2362 2363 7ff6429d2470 GetLastError 2360->2363 2367 7ff6429d2453 2361->2367 2418 7ff6429d1800 2362->2418 2365 7ff6429d1450 6 API calls 2363->2365 2368 7ff6429d2484 CloseHandle 2365->2368 2371 7ff6429d25fa 2367->2371 2374 7ff6429d25f3 _invalid_parameter_noinfo_noreturn 2367->2374 2368->2367 2369 7ff6429d25b3 CloseHandle 2369->2367 2370 7ff6429d24ae 2372 7ff6429d13c0 6 API calls 2370->2372 2429 7ff6429d2660 2371->2429 2373 7ff6429d24cf CreateFileA 2372->2373 2375 7ff6429d2543 2373->2375 2376 7ff6429d250f GetLastError 2373->2376 2374->2371 2379 7ff6429d2550 MiniDumpWriteDump 2375->2379 2382 7ff6429d258a CloseHandle CloseHandle 2375->2382 2378 7ff6429d1450 6 API calls 2376->2378 2381 7ff6429d2538 CloseHandle 2378->2381 2379->2382 2383 7ff6429d2576 GetLastError 2379->2383 2381->2367 2382->2367 2383->2375 2385 7ff6429d258c 2383->2385 2386 7ff6429d1450 6 API calls 2385->2386 2386->2382 2387 7ff6429d13c0 __acrt_iob_func 2388 7ff6429d1010 fprintf __stdio_common_vfprintf 2387->2388 2389 7ff6429d13fa __acrt_iob_func 2388->2389 2488 7ff6429d1000 2389->2488 2391 7ff6429d1412 __stdio_common_vfprintf __acrt_iob_func fflush 2391->2292 2396 7ff6429d1000 2392->2396 2394 7ff6429d1036 __stdio_common_vfprintf 2394->2344 2395->2346 2396->2394 2398 7ff6429d2b3e std::bad_alloc::bad_alloc 2397->2398 2407 7ff6429d3f84 2398->2407 2400 7ff6429d2b4f 2402 7ff6429d172e Concurrency::cancel_current_task 2401->2402 2403 7ff6429d3f84 Concurrency::cancel_current_task 2 API calls 2402->2403 2404 7ff6429d173f 2403->2404 2412 7ff6429d3cc0 2404->2412 2408 7ff6429d3fa3 2407->2408 2409 7ff6429d3fc0 RtlPcToFileHeader 2407->2409 2408->2409 2410 7ff6429d3fe7 RaiseException 2409->2410 2411 7ff6429d3fd8 2409->2411 2410->2400 2411->2410 2413 7ff6429d3ce1 2412->2413 2414 7ff6429d176d 2412->2414 2413->2414 2415 7ff6429d3cf6 malloc 2413->2415 2414->2355 2416 7ff6429d3d23 free 2415->2416 2417 7ff6429d3d07 2415->2417 2416->2414 2417->2416 2419 7ff6429d1863 WSAStartup 2418->2419 2420 7ff6429d1850 2418->2420 2421 7ff6429d185c 2419->2421 2427 7ff6429d187f 2419->2427 2422 7ff6429d1450 6 API calls 2420->2422 2423 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2421->2423 2422->2421 2425 7ff6429d1d87 2423->2425 2424 7ff6429d1dd0 2426 7ff6429d1450 6 API calls 2424->2426 2425->2369 2425->2370 2426->2421 2427->2421 2427->2424 2438 7ff6429d20c0 2427->2438 2430 7ff6429d2669 2429->2430 2431 7ff6429d1334 2430->2431 2432 7ff6429d29c0 IsProcessorFeaturePresent 2430->2432 2431->2292 2431->2387 2433 7ff6429d29d8 2432->2433 2483 7ff6429d2a94 RtlCaptureContext 2433->2483 2439 7ff6429d2218 2438->2439 2440 7ff6429d20e9 2438->2440 2462 7ff6429d17e0 2439->2462 2442 7ff6429d2144 2440->2442 2444 7ff6429d216c 2440->2444 2445 7ff6429d2137 2440->2445 2453 7ff6429d2690 2442->2453 2443 7ff6429d221d 2447 7ff6429d1720 Concurrency::cancel_current_task 4 API calls 2443->2447 2450 7ff6429d2690 5 API calls 2444->2450 2451 7ff6429d2155 BuildCatchObjectHelperInternal 2444->2451 2445->2442 2445->2443 2448 7ff6429d2223 2447->2448 2449 7ff6429d21e0 _invalid_parameter_noinfo_noreturn 2452 7ff6429d21d3 BuildCatchObjectHelperInternal 2449->2452 2450->2451 2451->2449 2451->2452 2452->2427 2454 7ff6429d26aa malloc 2453->2454 2455 7ff6429d26b4 2454->2455 2456 7ff6429d269b 2454->2456 2455->2451 2456->2454 2457 7ff6429d26ba 2456->2457 2458 7ff6429d26c5 2457->2458 2459 7ff6429d2b30 Concurrency::cancel_current_task 2 API calls 2457->2459 2460 7ff6429d1720 Concurrency::cancel_current_task 4 API calls 2458->2460 2459->2458 2461 7ff6429d26cb 2460->2461 2461->2451 2475 7ff6429d34d4 2462->2475 2480 7ff6429d33f8 2475->2480 2478 7ff6429d3f84 Concurrency::cancel_current_task 2 API calls 2479 7ff6429d34f6 2478->2479 2481 7ff6429d3cc0 __std_exception_copy 2 API calls 2480->2481 2482 7ff6429d342c 2481->2482 2482->2478 2484 7ff6429d2aae RtlLookupFunctionEntry 2483->2484 2485 7ff6429d2ac4 RtlVirtualUnwind 2484->2485 2486 7ff6429d29eb 2484->2486 2485->2484 2485->2486 2487 7ff6429d2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2486->2487 2488->2391 3021 7ff6429d59ad 3022 7ff6429d43d0 _CreateFrameInfo 10 API calls 3021->3022 3023 7ff6429d59ba 3022->3023 3024 7ff6429d43d0 _CreateFrameInfo 10 API calls 3023->3024 3026 7ff6429d59c3 __GSHandlerCheck_EH 3024->3026 3025 7ff6429d5a0a RaiseException 3027 7ff6429d5a29 3025->3027 3026->3025 3028 7ff6429d3b54 11 API calls 3027->3028 3032 7ff6429d5a31 3028->3032 3029 7ff6429d5a5a __GSHandlerCheck_EH 3030 7ff6429d43d0 _CreateFrameInfo 10 API calls 3029->3030 3031 7ff6429d5a6d 3030->3031 3033 7ff6429d43d0 _CreateFrameInfo 10 API calls 3031->3033 3032->3029 3034 7ff6429d4104 10 API calls 3032->3034 3035 7ff6429d5a76 3033->3035 3034->3029 3036 7ff6429d43d0 _CreateFrameInfo 10 API calls 3035->3036 3037 7ff6429d5a7f 3036->3037 3038 7ff6429d43d0 _CreateFrameInfo 10 API calls 3037->3038 3039 7ff6429d5a8e 3038->3039 3040 7ff6429d74a7 3043 7ff6429d5cc0 3040->3043 3048 7ff6429d5c38 3043->3048 3046 7ff6429d5ce0 3047 7ff6429d43d0 _CreateFrameInfo 10 API calls 3047->3046 3049 7ff6429d5ca3 3048->3049 3050 7ff6429d5c5a 3048->3050 3049->3046 3049->3047 3050->3049 3051 7ff6429d43d0 _CreateFrameInfo 10 API calls 3050->3051 3051->3049 3052 7ff6429d2700 3053 7ff6429d2710 3052->3053 3065 7ff6429d2bd8 3053->3065 3055 7ff6429d2ecc 7 API calls 3056 7ff6429d27b5 3055->3056 3057 7ff6429d2734 _RTC_Initialize 3063 7ff6429d2797 3057->3063 3073 7ff6429d2e64 InitializeSListHead 3057->3073 3063->3055 3064 7ff6429d27a5 3063->3064 3066 7ff6429d2c1b 3065->3066 3067 7ff6429d2be9 3065->3067 3066->3057 3068 7ff6429d2c58 3067->3068 3071 7ff6429d2bee __scrt_release_startup_lock 3067->3071 3069 7ff6429d2ecc 7 API calls 3068->3069 3070 7ff6429d2c62 3069->3070 3071->3066 3072 7ff6429d2c0b _initialize_onexit_table 3071->3072 3072->3066 2919 7ff6429d733c _seh_filter_exe 2920 7ff6429d1d39 2921 7ff6429d1d40 2920->2921 2921->2921 2922 7ff6429d2040 22 API calls 2921->2922 2924 7ff6429d18a0 2921->2924 2922->2924 2923 7ff6429d1d76 2926 7ff6429d2660 __GSHandlerCheck_EH 8 API calls 2923->2926 2924->2923 2925 7ff6429d1dd0 2924->2925 2928 7ff6429d20c0 21 API calls 2924->2928 2927 7ff6429d1450 6 API calls 2925->2927 2929 7ff6429d1d87 2926->2929 2927->2923 2928->2924 2935 7ff6429d1550 2936 7ff6429d3d50 __std_exception_destroy free 2935->2936 2937 7ff6429d1567 2936->2937 2930 7ff6429d27d0 2934 7ff6429d3074 SetUnhandledExceptionFilter 2930->2934 3083 7ff6429d1510 3084 7ff6429d3cc0 __std_exception_copy 2 API calls 3083->3084 3085 7ff6429d1539 3084->3085 3089 7ff6429d3090 3090 7ff6429d30c4 3089->3090 3091 7ff6429d30a8 3089->3091 3091->3090 3096 7ff6429d41c0 3091->3096 3095 7ff6429d30e2 3097 7ff6429d43d0 _CreateFrameInfo 10 API calls 3096->3097 3098 7ff6429d30d6 3097->3098 3099 7ff6429d41d4 3098->3099 3100 7ff6429d43d0 _CreateFrameInfo 10 API calls 3099->3100 3101 7ff6429d41dd 3100->3101 3101->3095 3102 7ff6429d7090 3103 7ff6429d70d2 __GSHandlerCheckCommon 3102->3103 3104 7ff6429d70fa 3103->3104 3106 7ff6429d3d78 3103->3106 3109 7ff6429d3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 3106->3109 3107 7ff6429d3e99 3107->3104 3108 7ff6429d3e64 RtlUnwindEx 3108->3109 3109->3107 3109->3108 3110 7ff6429d7290 3111 7ff6429d72a3 3110->3111 3112 7ff6429d72b0 3110->3112 3113 7ff6429d1e80 _invalid_parameter_noinfo_noreturn 3111->3113 3113->3112 3114 7ff6429d7411 3115 7ff6429d7495 3114->3115 3116 7ff6429d7429 3114->3116 3116->3115 3117 7ff6429d43d0 _CreateFrameInfo 10 API calls 3116->3117 3118 7ff6429d7476 3117->3118 3119 7ff6429d43d0 _CreateFrameInfo 10 API calls 3118->3119 3120 7ff6429d748b terminate 3119->3120 3120->3115 2938 7ff6429d48c7 abort

                                                          Executed Functions

                                                          Function 00007FF6429D1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 7ff6429d1060-7ff6429d10ae 1 7ff6429d10b4-7ff6429d10c6 0->1 2 7ff6429d1386-7ff6429d1394 call 7ff6429d1450 0->2 4 7ff6429d10d0-7ff6429d10d6 1->4 5 7ff6429d1399 2->5 6 7ff6429d127f-7ff6429d1283 4->6 7 7ff6429d10dc-7ff6429d10df 4->7 8 7ff6429d139e-7ff6429d13b7 5->8 6->4 9 7ff6429d1289-7ff6429d1299 6->9 10 7ff6429d10e1-7ff6429d10e5 7->10 11 7ff6429d10ed 7->11 9->2 14 7ff6429d129f-7ff6429d12b7 call 7ff6429d2688 9->14 10->11 12 7ff6429d10e7-7ff6429d10eb 10->12 13 7ff6429d10f0-7ff6429d10fc 11->13 12->11 15 7ff6429d1104-7ff6429d110b 12->15 16 7ff6429d10fe-7ff6429d1102 13->16 17 7ff6429d1110-7ff6429d1113 13->17 26 7ff6429d132a-7ff6429d1336 call 7ff6429d23c0 14->26 27 7ff6429d12b9-7ff6429d12c9 GetTempPathA 14->27 19 7ff6429d127b 15->19 16->13 16->15 20 7ff6429d1125-7ff6429d1136 strcmp 17->20 21 7ff6429d1115-7ff6429d1119 17->21 19->6 24 7ff6429d113c-7ff6429d113f 20->24 25 7ff6429d1267-7ff6429d126e 20->25 21->20 23 7ff6429d111b-7ff6429d111f 21->23 23->20 23->25 29 7ff6429d1151-7ff6429d1162 strcmp 24->29 30 7ff6429d1141-7ff6429d1145 24->30 28 7ff6429d1276 25->28 43 7ff6429d1346 26->43 44 7ff6429d1338-7ff6429d1344 call 7ff6429d13c0 26->44 32 7ff6429d12cb-7ff6429d12e7 GetLastError call 7ff6429d1450 GetLastError 27->32 33 7ff6429d12e9-7ff6429d1302 strcat_s 27->33 28->19 39 7ff6429d1258-7ff6429d1265 29->39 40 7ff6429d1168-7ff6429d116b 29->40 30->29 37 7ff6429d1147-7ff6429d114b 30->37 50 7ff6429d1313-7ff6429d1323 call 7ff6429d2680 32->50 35 7ff6429d1304-7ff6429d1312 call 7ff6429d1450 33->35 36 7ff6429d1325 33->36 35->50 36->26 37->29 37->39 39->19 45 7ff6429d117d-7ff6429d118e strcmp 40->45 46 7ff6429d116d-7ff6429d1171 40->46 47 7ff6429d134b-7ff6429d1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff6429d2680 43->47 44->47 48 7ff6429d1194-7ff6429d1197 45->48 49 7ff6429d1247-7ff6429d1256 45->49 46->45 53 7ff6429d1173-7ff6429d1177 46->53 47->8 55 7ff6429d11a5-7ff6429d11af 48->55 56 7ff6429d1199-7ff6429d119d 48->56 49->28 50->8 53->45 53->49 61 7ff6429d11b0-7ff6429d11bb 55->61 56->55 60 7ff6429d119f-7ff6429d11a3 56->60 60->55 63 7ff6429d11c3-7ff6429d11d2 60->63 64 7ff6429d11bd-7ff6429d11c1 61->64 65 7ff6429d11d7-7ff6429d11da 61->65 63->28 64->61 64->63 66 7ff6429d11ec-7ff6429d11f6 65->66 67 7ff6429d11dc-7ff6429d11e0 65->67 69 7ff6429d1200-7ff6429d120b 66->69 67->66 68 7ff6429d11e2-7ff6429d11e6 67->68 68->19 68->66 70 7ff6429d1215-7ff6429d1218 69->70 71 7ff6429d120d-7ff6429d1211 69->71 72 7ff6429d121a-7ff6429d121e 70->72 73 7ff6429d1226-7ff6429d1237 strcmp 70->73 71->69 74 7ff6429d1213 71->74 72->73 75 7ff6429d1220-7ff6429d1224 72->75 73->19 76 7ff6429d1239-7ff6429d1245 atoi 73->76 74->19 75->19 75->73 76->19
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                          • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                          • API String ID: 2647627392-2367407095
                                                          • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                          • Instruction ID: e68ccf57d2a12135dac4c5edd3dc1e418fbf876036c8fc59f9252b424d09e68a
                                                          • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                          • Instruction Fuzzy Hash: A9A1B162D2C78241FF60BF23A4002B967A0AF4675CF684135CA4EC3297DEBEE845E704
                                                          Function 00007FF6429D27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                          • String ID:
                                                          • API String ID: 2308368977-0
                                                          • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                          • Instruction ID: 4899a030496879e35583dbfb0aa6d74376e9ad51b49354b66fbf3010eda0e591
                                                          • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                          • Instruction Fuzzy Hash: 52316F21E2C20342FA18BB23D5113B99391AF9178CFA44035E60DC72E7DEEFE845A654
                                                          Function 00007FF6429D1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                          • String ID: [createdump]
                                                          • API String ID: 3735572767-2657508301
                                                          • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                          • Instruction ID: 88a0e9eee93252f660f98da675d18988142f165f98a91c5168d7e64049753413
                                                          • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                          • Instruction Fuzzy Hash: 92014F61A1CB8182E700BB52F80526AA364FB84BD5F504539DB8DC3767CF7DD856D700

                                                          Non-executed Functions

                                                          Function 00007FF6429D2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                          • String ID:
                                                          • API String ID: 3140674995-0
                                                          • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                          • Instruction ID: fb6931546c63e143287775ac7ca397e0c3f80b001756e1f105eea4b626267c33
                                                          • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                          • Instruction Fuzzy Hash: 09318E72A18A8186EB60AF61E8403EE7360FB84348F54443ADB4EC7B86DF7DC548C710
                                                          Function 00007FF6429D3074 Relevance: .0, Instructions: 2COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                          • Instruction ID: ae0c5b161d63834626ef543307731360664986ef65beb5674470717853f495df
                                                          • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                          • Instruction Fuzzy Hash: D6A00225D2CC02D0E644BF13E8541716330FB50309BE84531D00DC14A39FBEA445E714
                                                          Function 00007FF6429D23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6429D242D
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6429D243B
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D1475
                                                            • Part of subcall function 00007FF6429D1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6429D1485
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D1494
                                                            • Part of subcall function 00007FF6429D1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14B3
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14BE
                                                            • Part of subcall function 00007FF6429D1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14C7
                                                          • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6429D2466
                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6429D2470
                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6429D2487
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6429D25F3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                          • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                          • API String ID: 3971781330-1292085346
                                                          • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                          • Instruction ID: dbdb691a3ed3ed8f8ea9b48f98843ab6313a367d53e34b0fab54c8cc5c329ff2
                                                          • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                          • Instruction Fuzzy Hash: F8618231A2CA4181F714BB17E45076A6761FB85798F604134DE9EC3AA7CFBEE445E700
                                                          Function 00007FF6429D49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 177 7ff6429d49a4-7ff6429d4a07 call 7ff6429d4518 180 7ff6429d4a20-7ff6429d4a29 call 7ff6429d43d0 177->180 181 7ff6429d4a09-7ff6429d4a12 call 7ff6429d43d0 177->181 188 7ff6429d4a3f-7ff6429d4a42 180->188 189 7ff6429d4a2b-7ff6429d4a38 call 7ff6429d43d0 * 2 180->189 186 7ff6429d4a18-7ff6429d4a1e 181->186 187 7ff6429d4e99-7ff6429d4e9f abort 181->187 186->188 188->187 190 7ff6429d4a48-7ff6429d4a54 188->190 189->188 193 7ff6429d4a7f 190->193 194 7ff6429d4a56-7ff6429d4a7d 190->194 196 7ff6429d4a81-7ff6429d4a83 193->196 194->196 196->187 198 7ff6429d4a89-7ff6429d4a8f 196->198 199 7ff6429d4a95-7ff6429d4a99 198->199 200 7ff6429d4b59-7ff6429d4b6f call 7ff6429d5724 198->200 199->200 202 7ff6429d4a9f-7ff6429d4aaa 199->202 205 7ff6429d4b75-7ff6429d4b79 200->205 206 7ff6429d4def-7ff6429d4df3 200->206 202->200 204 7ff6429d4ab0-7ff6429d4ab5 202->204 204->200 207 7ff6429d4abb-7ff6429d4ac5 call 7ff6429d43d0 204->207 205->206 210 7ff6429d4b7f-7ff6429d4b8a 205->210 208 7ff6429d4df5-7ff6429d4dfc 206->208 209 7ff6429d4e2b-7ff6429d4e35 call 7ff6429d43d0 206->209 220 7ff6429d4acb-7ff6429d4af1 call 7ff6429d43d0 * 2 call 7ff6429d3be8 207->220 221 7ff6429d4e37-7ff6429d4e56 call 7ff6429d2660 207->221 208->187 212 7ff6429d4e02-7ff6429d4e26 call 7ff6429d4ea0 208->212 209->187 209->221 210->206 214 7ff6429d4b90-7ff6429d4b94 210->214 212->209 218 7ff6429d4dd4-7ff6429d4dd8 214->218 219 7ff6429d4b9a-7ff6429d4bd1 call 7ff6429d36d0 214->219 218->209 224 7ff6429d4dda-7ff6429d4de7 call 7ff6429d3670 218->224 219->218 230 7ff6429d4bd7-7ff6429d4be2 219->230 246 7ff6429d4af3-7ff6429d4af7 220->246 247 7ff6429d4b11-7ff6429d4b1b call 7ff6429d43d0 220->247 235 7ff6429d4e81-7ff6429d4e98 call 7ff6429d43d0 * 2 terminate 224->235 236 7ff6429d4ded 224->236 233 7ff6429d4be6-7ff6429d4bf6 230->233 237 7ff6429d4d2f-7ff6429d4dce 233->237 238 7ff6429d4bfc-7ff6429d4c02 233->238 235->187 236->209 237->218 237->233 238->237 241 7ff6429d4c08-7ff6429d4c31 call 7ff6429d56a8 238->241 241->237 252 7ff6429d4c37-7ff6429d4c7e call 7ff6429d3bbc * 2 241->252 246->247 250 7ff6429d4af9-7ff6429d4b04 246->250 247->200 256 7ff6429d4b1d-7ff6429d4b3d call 7ff6429d43d0 * 2 call 7ff6429d5fd8 247->256 250->247 253 7ff6429d4b06-7ff6429d4b0b 250->253 264 7ff6429d4c80-7ff6429d4ca5 call 7ff6429d3bbc call 7ff6429d52d0 252->264 265 7ff6429d4cba-7ff6429d4cd0 call 7ff6429d5ab0 252->265 253->187 253->247 272 7ff6429d4b54 256->272 273 7ff6429d4b3f-7ff6429d4b49 call 7ff6429d60c8 256->273 279 7ff6429d4cd7-7ff6429d4d26 call 7ff6429d48d0 264->279 280 7ff6429d4ca7-7ff6429d4cb3 264->280 274 7ff6429d4cd2 265->274 275 7ff6429d4d2b 265->275 272->200 283 7ff6429d4b4f-7ff6429d4e7a call 7ff6429d4090 call 7ff6429d5838 call 7ff6429d3f84 273->283 284 7ff6429d4e7b-7ff6429d4e80 terminate 273->284 274->252 275->237 279->275 280->264 282 7ff6429d4cb5 280->282 282->265 283->284 284->235
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 695522112-393685449
                                                          • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                          • Instruction ID: cae54a42a55647b4fbe91b0655e7f1cd244846bd0a9dfe24321c0338d8fb476d
                                                          • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                          • Instruction Fuzzy Hash: 44E18E7292C6828AE720BF36E4803AD77A0FB5474CF245135DA8DC7696DFB9E485E700
                                                          Function 00007FF6429D13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                          • String ID: [createdump]
                                                          • API String ID: 3735572767-2657508301
                                                          • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                          • Instruction ID: 33cc5318b1f0289544701430097a0360a9d508d5b130d1bba8552a097626cccb
                                                          • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                          • Instruction Fuzzy Hash: E4012C71A1CB8182E700BB52F8152AAA360FB84BD5F504135DB8D837668FBDD895D740
                                                          Function 00007FF6429D1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • WSAStartup.WS2_32 ref: 00007FF6429D186C
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D1475
                                                            • Part of subcall function 00007FF6429D1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6429D1485
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D1494
                                                            • Part of subcall function 00007FF6429D1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14B3
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14BE
                                                            • Part of subcall function 00007FF6429D1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                          • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                          • API String ID: 3378602911-3973674938
                                                          • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                          • Instruction ID: 7f69544b29445fc479bef57e9896fab16bd2bc7ac09ed49ae42f95fc5187addc
                                                          • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                          • Instruction Fuzzy Hash: 4731F162A2C68146E759BB5698547F92761BB45788FA40032DE4D83293CFBDE044E300
                                                          Function 00007FF6429D6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF6429D669F,?,?,?,00007FF6429D441E,?,?,?,00007FF6429D43D9), ref: 00007FF6429D651D
                                                          • GetLastError.KERNEL32(?,00000000,00007FF6429D669F,?,?,?,00007FF6429D441E,?,?,?,00007FF6429D43D9,?,?,?,?,00007FF6429D3524), ref: 00007FF6429D652B
                                                          • LoadLibraryExW.KERNEL32(?,00000000,00007FF6429D669F,?,?,?,00007FF6429D441E,?,?,?,00007FF6429D43D9,?,?,?,?,00007FF6429D3524), ref: 00007FF6429D6555
                                                          • FreeLibrary.KERNEL32(?,00000000,00007FF6429D669F,?,?,?,00007FF6429D441E,?,?,?,00007FF6429D43D9,?,?,?,?,00007FF6429D3524), ref: 00007FF6429D659B
                                                          • GetProcAddress.KERNEL32(?,00000000,00007FF6429D669F,?,?,?,00007FF6429D441E,?,?,?,00007FF6429D43D9,?,?,?,?,00007FF6429D3524), ref: 00007FF6429D65A7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProc
                                                          • String ID: api-ms-
                                                          • API String ID: 2559590344-2084034818
                                                          • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                          • Instruction ID: 41663e1ec1ff02341b4382aec5ce6901e13fa08d778b0d824a0944c2c5846341
                                                          • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                          • Instruction Fuzzy Hash: CD319221A2E64291FE11BB13A8005792394FF49BA8F694634DE1DC638ADFBDE485D300
                                                          Function 00007FF6429D1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 360 7ff6429d1b18-7ff6429d1b32 _time64 361 7ff6429d1b34-7ff6429d1b37 360->361 362 7ff6429d1b80-7ff6429d1ba8 360->362 363 7ff6429d1b40-7ff6429d1b68 361->363 362->362 364 7ff6429d1baa-7ff6429d1bd8 362->364 363->363 365 7ff6429d1b6a-7ff6429d1b71 363->365 366 7ff6429d1bfa-7ff6429d1c32 364->366 367 7ff6429d1bda-7ff6429d1bf5 call 7ff6429d1ee0 364->367 365->364 369 7ff6429d1c64-7ff6429d1c78 call 7ff6429d2230 366->369 370 7ff6429d1c34-7ff6429d1c43 366->370 367->366 378 7ff6429d1c7d-7ff6429d1c88 369->378 373 7ff6429d1c45 370->373 374 7ff6429d1c48-7ff6429d1c62 call 7ff6429d68c0 370->374 373->374 374->378 379 7ff6429d1c8a-7ff6429d1c98 378->379 380 7ff6429d1cbb-7ff6429d1cde 378->380 381 7ff6429d1cb3-7ff6429d1cb6 call 7ff6429d2680 379->381 382 7ff6429d1c9a-7ff6429d1cad 379->382 383 7ff6429d1d55-7ff6429d1d70 380->383 381->380 382->381 385 7ff6429d1da2-7ff6429d1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff6429d1450 call 7ff6429d2680 382->385 387 7ff6429d18a0-7ff6429d18a3 383->387 388 7ff6429d1d76 383->388 390 7ff6429d1d78-7ff6429d1da1 call 7ff6429d2660 385->390 391 7ff6429d18f3-7ff6429d18fe 387->391 392 7ff6429d18a5-7ff6429d18b7 387->392 388->390 394 7ff6429d1904-7ff6429d1915 391->394 395 7ff6429d1dd0-7ff6429d1dde call 7ff6429d1450 391->395 396 7ff6429d18e2-7ff6429d18ee call 7ff6429d20c0 392->396 397 7ff6429d18b9-7ff6429d18c8 392->397 394->383 395->390 396->383 401 7ff6429d18ca 397->401 402 7ff6429d18cd-7ff6429d18dd 397->402 401->402 402->383
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: _time64
                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                          • API String ID: 1670930206-4114407318
                                                          • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                          • Instruction ID: e34d7a6eca821e8ba840736935abc5f92a989f580f0545f1ffebadf9ea785843
                                                          • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                          • Instruction Fuzzy Hash: 2951E572A2CB8146EB04EB2AE4403AD67A0FB517D8F600136DA5D937AADF7DD041E700
                                                          Function 00007FF6429D4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: EncodePointerabort
                                                          • String ID: MOC$RCC
                                                          • API String ID: 1188231555-2084237596
                                                          • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                          • Instruction ID: bcf26fe6c301776cf41cb5b172a21798c6d4096603512738052082a1476996a4
                                                          • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                          • Instruction Fuzzy Hash: D891E273A18B828AE750EB66E8802AD7BA0F70478CF204139EE8D97756CF7DD191D700
                                                          Function 00007FF6429D5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 459 7ff6429d5414-7ff6429d5461 call 7ff6429d63f4 call 7ff6429d43d0 464 7ff6429d5463-7ff6429d5469 459->464 465 7ff6429d548e-7ff6429d5492 459->465 464->465 468 7ff6429d546b-7ff6429d546e 464->468 466 7ff6429d55b2-7ff6429d55c7 call 7ff6429d5724 465->466 467 7ff6429d5498-7ff6429d549b 465->467 480 7ff6429d55d2-7ff6429d55d8 466->480 481 7ff6429d55c9-7ff6429d55cc 466->481 469 7ff6429d5680 467->469 470 7ff6429d54a1-7ff6429d54d1 467->470 472 7ff6429d5480-7ff6429d5483 468->472 473 7ff6429d5470-7ff6429d5474 468->473 475 7ff6429d5685-7ff6429d56a1 469->475 470->469 474 7ff6429d54d7-7ff6429d54de 470->474 472->465 477 7ff6429d5485-7ff6429d5488 472->477 473->477 478 7ff6429d5476-7ff6429d547e 473->478 474->469 479 7ff6429d54e4-7ff6429d54e8 474->479 477->465 477->469 478->465 478->472 482 7ff6429d54ee-7ff6429d54f1 479->482 483 7ff6429d559f-7ff6429d55ad call 7ff6429d3678 479->483 484 7ff6429d55da-7ff6429d55de 480->484 485 7ff6429d5647-7ff6429d567b call 7ff6429d49a4 480->485 481->469 481->480 487 7ff6429d54f3-7ff6429d5508 call 7ff6429d4520 482->487 488 7ff6429d5556-7ff6429d5559 482->488 483->469 484->485 490 7ff6429d55e0-7ff6429d55e7 484->490 485->469 495 7ff6429d56a2-7ff6429d56a7 abort 487->495 500 7ff6429d550e-7ff6429d5511 487->500 488->483 491 7ff6429d555b-7ff6429d5563 488->491 490->485 494 7ff6429d55e9-7ff6429d55f0 490->494 491->495 496 7ff6429d5569-7ff6429d5593 491->496 494->485 498 7ff6429d55f2-7ff6429d5605 call 7ff6429d3bbc 494->498 496->495 499 7ff6429d5599-7ff6429d559d 496->499 498->485 506 7ff6429d5607-7ff6429d5645 498->506 503 7ff6429d5546-7ff6429d5551 call 7ff6429d5cf0 499->503 504 7ff6429d5513-7ff6429d5538 500->504 505 7ff6429d553a-7ff6429d553d 500->505 503->469 504->505 505->495 507 7ff6429d5543 505->507 506->475 507->503
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __except_validate_context_recordabort
                                                          • String ID: csm$csm
                                                          • API String ID: 746414643-3733052814
                                                          • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                          • Instruction ID: 16f15cc70fa73e5c34854ab831a4094c760e4b12371e59c1ef3bbef6f7f991ac
                                                          • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                          • Instruction Fuzzy Hash: D271BE3662C6828ADBA1BF2694407797BA0FB40BCDF648135DA8CC7A86CF7DD451DB00
                                                          Function 00007FF6429D195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                          • API String ID: 0-4114407318
                                                          • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                          • Instruction ID: 5b44b1739f472240984267ced6e9513ee66567bf170a164f09da96735d325fbb
                                                          • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                          • Instruction Fuzzy Hash: 4051D763A2CB8546E704EB2AE4407AA6761FB817D4F600135EA9D93BDACF7ED041E740
                                                          Function 00007FF6429D5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: CreateFrameInfo__except_validate_context_record
                                                          • String ID: csm
                                                          • API String ID: 2558813199-1018135373
                                                          • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                          • Instruction ID: a9352fcfb50c52dfdc281419fcf0404afbf23341417d5cc503f32764ebf48dcf
                                                          • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                          • Instruction Fuzzy Hash: 3D512A3262C74687D660BB16F54026EB7B4FB88B98F241134DA8D87B56CFB9E460DB00
                                                          Function 00007FF6429D17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::_Xinvalid_argument.LIBCPMT ref: 00007FF6429D17EB
                                                          • WSAStartup.WS2_32 ref: 00007FF6429D186C
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D1475
                                                            • Part of subcall function 00007FF6429D1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6429D1485
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D1494
                                                            • Part of subcall function 00007FF6429D1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14B3
                                                            • Part of subcall function 00007FF6429D1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14BE
                                                            • Part of subcall function 00007FF6429D1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6429D14C7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                          • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                          • API String ID: 1412700758-3183687674
                                                          • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                          • Instruction ID: 8e580f2bfab09f79de6843c3e9fec8a7b3a2835333f82724760c7af20c2c8908
                                                          • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                          • Instruction Fuzzy Hash: 4801B132A2C9C195F761BF53EC817AA6350BB8979CF600036EE0D87652CE7CE486D700
                                                          Function 00007FF6429D1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: ErrorLastgethostname
                                                          • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                          • API String ID: 3782448640-4114407318
                                                          • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                          • Instruction ID: 6c6769eca2f00f0728f247f233f255352a6fdec4238a667b62fdd1f3564dbd65
                                                          • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                          • Instruction Fuzzy Hash: 21110A12E2C24245F748BB23A8503FA22409F867BCF601135D95FD72D7CE7DD442A340
                                                          Function 00007FF6429D4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: terminate
                                                          • String ID: MOC$RCC$csm
                                                          • API String ID: 1821763600-2671469338
                                                          • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                          • Instruction ID: b8152a8553e5061a1c8b865faa9d36874838aa303105822600972112766d70b6
                                                          • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                          • Instruction Fuzzy Hash: E1F08C3692C24692E7247B56B64106C7364EF68B4CF286031D718D6293CFFDE4A0A602
                                                          Function 00007FF6429D20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6429D18EE), ref: 00007FF6429D21E0
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6429D221E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID: Invalid process id '%d' error %d
                                                          • API String ID: 73155330-4244389950
                                                          • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                          • Instruction ID: d03e14526d26840d14090be7659e17d953eacec6057ef924398ec168be48eabf
                                                          • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                          • Instruction Fuzzy Hash: F331E522B2D78295FE18BF1795442A963A1AB05BD8F244631DB5DC77D7CEBEE050A300
                                                          Function 00007FF6429D3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                          Download Yara Rule
                                                          APIs
                                                          • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6429D173F), ref: 00007FF6429D3FC8
                                                          • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6429D173F), ref: 00007FF6429D400E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1907413156.00007FF6429D1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6429D0000, based on PE: true
                                                          • Associated: 00000009.00000002.1907380439.00007FF6429D0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907447849.00007FF6429D8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907513155.00007FF6429DC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                          • Associated: 00000009.00000002.1907613388.00007FF6429DD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_7ff6429d0000_createdump.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                          • Instruction ID: ee6b1dfd8a2e2b151191e3dff6358c534ae712f00aefaf6ce426f7add930e5af
                                                          • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                          • Instruction Fuzzy Hash: A911423261CB4582EB10AF26F440259B7A0FB88B88F684230DF8D87755DF7DD555CB00

                                                          Non-executed Functions

                                                          Function 00007FFE0130C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: AddressProc$HandleModule
                                                          • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                          • API String ID: 667068680-295688737
                                                          • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                          • Instruction ID: 13faafaa79b11d291190921f60e0072ca138bbc96d9fac4fc6efb195c66ca1e6
                                                          • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                          • Instruction Fuzzy Hash: F6A194B4A49B0792EB04AB51FC656B43365BF68B85BD69035C80E0B234EF7CB259C391
                                                          Function 00007FFE1A537508 Relevance: 90.2, APIs: 36, Strings: 15, Instructions: 913COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: /$[thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual $}'
                                                          • API String ID: 2943138195-2884338863
                                                          • Opcode ID: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                          • Instruction ID: 61b4edc47fc50d0b2ac50615fc8390a472214838c67a08255218c020092db5a1
                                                          • Opcode Fuzzy Hash: dfe3c345cf42f50a30eb54d6b673e306e5f826d7c41941afd65b24be17fee6d5
                                                          • Instruction Fuzzy Hash: 8D925162B1CE8286E741CB15E4802BEB7A0FF85764F5011B6FA8E47AA9DF7CD544CB40
                                                          Function 00007FFE0130F9DA Relevance: 34.3, APIs: 16, Strings: 3, Instructions: 1065COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                          • Instruction ID: 2f94d3e26226998a448cbc734b5111a65d32ccff220771df8d859c3b99a06b38
                                                          • Opcode Fuzzy Hash: 625aac92204013468fe8223eb15e1ba7ebfd8b89c7a9e3aeafc43f7ef7cdf4cb
                                                          • Instruction Fuzzy Hash: 9DA27B32609B85C2EB24DB19E4903A9B7A0FB99F90F568036DA8D4BB75DF3DD485C700
                                                          Function 00007FFE01302D70 Relevance: 27.7, APIs: 14, Strings: 1, Instructions: 1490COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memchr.VCRUNTIME140 ref: 00007FFE013030AA
                                                          • memchr.VCRUNTIME140 ref: 00007FFE01303470
                                                          • memchr.VCRUNTIME140 ref: 00007FFE013036A5
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130410D
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304114
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130411B
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304122
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304129
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304130
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304137
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130413E
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01304145
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE0130414C
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE013042D3
                                                            • Part of subcall function 00007FFE012E1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1DFB
                                                            • Part of subcall function 00007FFE012E1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1E08
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memchr$memmovememset
                                                          • String ID: 0123456789-
                                                          • API String ID: 3572500260-3850129594
                                                          • Opcode ID: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                          • Instruction ID: ee0947ec5d2b05ae0e28dab71ee193155905033af55b85be304b6a10d65c098a
                                                          • Opcode Fuzzy Hash: d35c0aa2dbe6bef1c21aeadcae62e204cf145927830be9a549f55e2bcd8d03b6
                                                          • Instruction Fuzzy Hash: A6E2CF22A09A8589EB028FA9D4A43BC37A1FB45B98F565139DE5E0B7F5DF3DD481C300
                                                          Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                            • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                            • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                            • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                            • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                            • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                            • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                          • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                          • OpenEventA.KERNEL32 ref: 0000000140008454
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                          • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                            • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                            • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                            • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                            • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                            • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                            • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                            • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                          • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                          • CloseHandle.KERNEL32 ref: 0000000140008554
                                                          • CloseHandle.KERNEL32 ref: 0000000140008561
                                                          • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                          • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                          • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                          • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                          • String ID:
                                                          • API String ID: 1089015687-0
                                                          • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                          • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                          • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                          • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                          Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                          • String ID:
                                                          • API String ID: 2074253140-0
                                                          • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                          • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                          • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                          • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                          Function 00007FFE0130B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: iswdigit$btowclocaleconv
                                                          • String ID: 0$0
                                                          • API String ID: 240710166-203156872
                                                          • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                          • Instruction ID: 201f1e120416ae63c79c7144a29f7fc8e66eeabd4173c2276c8e0af34485bffe
                                                          • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                          • Instruction Fuzzy Hash: 78813A76A1854687E7228F25D8603BAB7E1FF90F45F094139DB8A4A2B4EF3CE945C700
                                                          Function 00007FFE012DC780 Relevance: 17.0, APIs: 8, Strings: 1, Instructions: 1257COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789-+Ee
                                                          • API String ID: 0-1347306980
                                                          • Opcode ID: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                          • Instruction ID: 4c35482facf1370f068de35e4aecec4a361cfc2a7860caaa6c1a3d86b2d6e99d
                                                          • Opcode Fuzzy Hash: eb32ccacec42567cb68557178e27677abe53c2207ecc5e66019c7fa00c927496
                                                          • Instruction Fuzzy Hash: A9C2AF26A09A8689EB518F69D15027C37E1EB91F94F548035DB9E0B7F1CF3DE866E300
                                                          Function 00007FFE0130A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchr$isdigit$localeconv
                                                          • String ID: 0$0123456789abcdefABCDEF
                                                          • API String ID: 1981154758-1185640306
                                                          • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                          • Instruction ID: 25893cb06f68bed769fda5a3ae7faae2bd50a81b36b7b874544020d351c3f5b0
                                                          • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                          • Instruction Fuzzy Hash: 58914B32A0C69646E7268F24F4203BA7BD0FB45B48F4A9038DE8A4B765DB3CE845C741
                                                          Function 00007FFE012DD810 Relevance: 15.3, APIs: 7, Strings: 1, Instructions: 1307COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchr$_invalid_parameter_noinfo_noreturn$localeconv
                                                          • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                          • API String ID: 2141594249-3606100449
                                                          • Opcode ID: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                          • Instruction ID: e4307bb47a703f6cf1199545b1886b48f530c1a052c64b9e863283e088fd9e98
                                                          • Opcode Fuzzy Hash: e41ac7df23ae4e47cc8235113ca0bfaf537e11f38443c942c12ae7e9b511fdcc
                                                          • Instruction Fuzzy Hash: 87D28C32A09A8689EB518F69D09017C37A1FB91F94B559031DA9E0F7F1DF3DE862E310
                                                          Function 00007FFE012F2208 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Find_elem.LIBCPMT ref: 00007FFE012F2C08
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F35B9
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F35C0
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F35C7
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F3776
                                                            • Part of subcall function 00007FFE012E1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1DFB
                                                            • Part of subcall function 00007FFE012E1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1E08
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                          • String ID: 0123456789-
                                                          • API String ID: 2779821303-3850129594
                                                          • Opcode ID: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                          • Instruction ID: fb23b9d421799a9fe217052b150a25bd63d76e1f9dbed1fb9ea835626ba9d35f
                                                          • Opcode Fuzzy Hash: 8b22372819934a5f3343a781071aa47f52bcb789ae67cf9bb87e88e050bf4df3
                                                          • Instruction Fuzzy Hash: 03E29E26A19AC6C5EB50CF29D0502BD3B64FB86B94F559039EA4E2B7B4CF3DD881D700
                                                          Function 00007FFE012F0C60 Relevance: 12.0, APIs: 5, Strings: 1, Instructions: 1497COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Find_elem.LIBCPMT ref: 00007FFE012F1660
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F2011
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F2018
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F201F
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F21CE
                                                            • Part of subcall function 00007FFE012E1DA0: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1DFB
                                                            • Part of subcall function 00007FFE012E1DA0: memset.VCRUNTIME140(?,?,?,?,?,00007FFE012DC320), ref: 00007FFE012E1E08
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$Find_elemmemmovememset
                                                          • String ID: 0123456789-
                                                          • API String ID: 2779821303-3850129594
                                                          • Opcode ID: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                          • Instruction ID: 041120be562c35ba169aaa3fe037f4d8a0eb45a5d916bd29483ba9258b9b0c5c
                                                          • Opcode Fuzzy Hash: 8f17ecccf26e5bf9b8486391f160b62f5bd052ff72dc6714c9cd1cb8630ff85f
                                                          • Instruction Fuzzy Hash: 8EE2BF26A09AC6C5EB508F29D05027D3BB4FB86B94F949039DA4E2B7B5CF3DD891D700
                                                          Function 00007FFE0130BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: iswdigit$localeconv
                                                          • String ID: 0$0$0123456789abcdefABCDEF
                                                          • API String ID: 2634821343-613610638
                                                          • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                          • Instruction ID: 024b66d2c09738e443fa938a3c21806863265aed8556ad673993e54e32f1348c
                                                          • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                          • Instruction Fuzzy Hash: 60812B76E0855687EB228F64E82067A76E0FB54B44F099139DF8D4B7A4DB3CE845C740
                                                          Function 00007FFE012DA330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                          • String ID: .$.
                                                          • API String ID: 479945582-3769392785
                                                          • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                          • Instruction ID: fb5d367daaef9fc134341dea0a36a97a3eb8f13b8a967533eb6f96d678235549
                                                          • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                          • Instruction Fuzzy Hash: CD41E632A1868285EB20DF65E8447BA73A0FB947A4F404235EBED0B6E4DF7CD585D700
                                                          Function 00007FFE012EABB0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789-+Ee
                                                          • API String ID: 0-1347306980
                                                          • Opcode ID: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                          • Instruction ID: d4089eef3e7975c1ef35ff5e0d3a9de791345d3ba003e885dd902ebb4848dd66
                                                          • Opcode Fuzzy Hash: 61169c13199ed3d4064c93d2927a221ce72fd01a5b7481abd011cde4234e52e5
                                                          • Instruction Fuzzy Hash: B0C26B26A0DA8789EB648F1AD15017D37A1FB95B84F549031DE4E0B7B8CF3DE8A5E310
                                                          Function 00007FFE012EBCD0 Relevance: 10.0, APIs: 4, Strings: 1, Instructions: 1289COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 0123456789-+Ee
                                                          • API String ID: 0-1347306980
                                                          • Opcode ID: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                          • Instruction ID: a1c2d507227476a918aff155bd8fca0933162be6095a43ffea658e1d2800f1f5
                                                          • Opcode Fuzzy Hash: 84a532bee9db7ff1801f6eb5ad8858bda123076906ee73766687b81cab70c0c4
                                                          • Instruction Fuzzy Hash: DCC27A36A0DA8389EB648F59D15017D37A1FB95B94B949031DE4E0B7B8CF3DE8A5E300
                                                          Function 00007FFE012F6338 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F65AB
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F663D
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F66E0
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6B9C
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6BEE
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6C35
                                                            • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                          • Instruction ID: b237880846164590c789101f5f6957c6a9f50965bfdb027322a29edea5df99d5
                                                          • Opcode Fuzzy Hash: e7c5cf994c53a8d34ab9bbf7dabb86085dad5b0e8b7200d4631a4a7f83e36980
                                                          • Instruction Fuzzy Hash: 3952B362A08BC685EB10CF29D4441BD7761FB95B98F109135EB8D2BBA9EF3CE584D340
                                                          Function 00007FFE012F6C84 Relevance: 9.6, APIs: 6, Instructions: 626COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6EF7
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F6F89
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F702C
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F74E8
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F753A
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F7581
                                                            • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                          • Instruction ID: 0e879042fccc31f39688e147d1da3a2579175c83698bb2b037800082c3a79a00
                                                          • Opcode Fuzzy Hash: 0ed4efa0e723ec66b9d32ca45bc00d48bf62a8002029bc65276bd7ef6197e338
                                                          • Instruction Fuzzy Hash: BB52B022A08BC685EB108F29D4441BD7761FB95B98F509136EF8D2BBA5EF3CE584D340
                                                          Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 1799700165-0
                                                          • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                          • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                          • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                          • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                          Function 00007FFE012ECDF0 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                          • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                          • API String ID: 1825414929-3606100449
                                                          • Opcode ID: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                          • Instruction ID: 678f813d922cbd2b2bce87bce6649c5594b017feaa0c46492149e29861fa543a
                                                          • Opcode Fuzzy Hash: ddd61782d9e4402da2bcb03becf798ae66cc8a3793171496245683449c1d3606
                                                          • Instruction Fuzzy Hash: 42D25B36A0DA8A85EB648F59D15017C37A1FB90F84B549031DE5E0B7B8DF3DE8A6E310
                                                          Function 00007FFE012EDF10 Relevance: 8.3, APIs: 3, Strings: 1, Instructions: 1331COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$localeconv
                                                          • String ID: 0123456789ABCDEFabcdef-+XxPp
                                                          • API String ID: 1825414929-3606100449
                                                          • Opcode ID: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                          • Instruction ID: c12a251136bd5693c63fa342536378712f3d1b37ec6c770b1f2fcec0444d961e
                                                          • Opcode Fuzzy Hash: a2c3201d2fc563089677c4d096e338824b1e6b1947c9be9f1e037a0ad47d033a
                                                          • Instruction Fuzzy Hash: 22D26936A0DA8785EB608F1AD09017C37A1FB94F84B569431DA5E0B7B8DF3DE895E310
                                                          Function 00007FFE012E9460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                          • String ID:
                                                          • API String ID: 1326169664-0
                                                          • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                          • Instruction ID: 3efe8f05ec1b473bc9d0c95b63da43a7328f6cf1fcce1725dd9891ec2297026c
                                                          • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                          • Instruction Fuzzy Hash: 05E16C32B09B8685EB10DFA5D4401AC73B1FB99B98B514136DE4D2BBA8DF3CD54AD300
                                                          Function 00007FFE012E8FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                          • String ID:
                                                          • API String ID: 1326169664-0
                                                          • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                          • Instruction ID: d4728cc4807735eb926009a4c7f972e30c13c196f7cd3d120ef36b77e2334e37
                                                          • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                          • Instruction Fuzzy Hash: 0CE16C32B09B8685EB10DBA5D4401AC73B1FB99B98F515136DE4D2BBA8DF3CD54AD300
                                                          Function 00007FFE012DE8B0 Relevance: 7.6, APIs: 3, Strings: 1, Instructions: 634COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memchr
                                                          • String ID: 0123456789ABCDEFabcdef-+Xx
                                                          • API String ID: 2740501399-2799312399
                                                          • Opcode ID: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                          • Instruction ID: dc4118de5b8312566a67e00f6c33bf0cd87d404b136cca92c43d0a8dfeea9612
                                                          • Opcode Fuzzy Hash: 334d7375eb303fb89c7eac9aa9134fe4ac750cac4b38891268b2b9077aa0e199
                                                          • Instruction Fuzzy Hash: 3852A022B09A8389EB518F29D19017C37E1BB95B98B558431CE9E1F7B5CF3DE466E300
                                                          Function 00007FFE012F5470 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE01307600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE012D3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0130760F
                                                            • Part of subcall function 00007FFE012DF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01304C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66), ref: 00007FFE012DF6FC
                                                          • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE77), ref: 00007FFE012F5F35
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE77), ref: 00007FFE012F5F4A
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE77), ref: 00007FFE012F5F58
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Gettnames_lock_localesrealloc
                                                          • String ID:
                                                          • API String ID: 3705959680-0
                                                          • Opcode ID: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                          • Instruction ID: 7eae0e0a0aab6718909b4fcfc843d8d6331911e8715a7e89d15dccabcac2c38e
                                                          • Opcode Fuzzy Hash: 7ad6bab48188330933ca28c44cb2edb3a07c4697b0200e124c8200cfab4ddd97
                                                          • Instruction Fuzzy Hash: 62824761A0DA4286EB519F25D8513B937A0BF95B84F8A4039EA4F5F3B6EF3CF4419340
                                                          Function 00007FFE012F4780 Relevance: 5.3, APIs: 3, Instructions: 815COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE01307600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE012D3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0130760F
                                                            • Part of subcall function 00007FFE012DF6B0: realloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00007FFE01304C66,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66), ref: 00007FFE012DF6FC
                                                          • _W_Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE88), ref: 00007FFE012F5245
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE88), ref: 00007FFE012F525A
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE88), ref: 00007FFE012F5268
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Gettnames_lock_localesrealloc
                                                          • String ID:
                                                          • API String ID: 3705959680-0
                                                          • Opcode ID: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                          • Instruction ID: fbb4d9859452a8d0e1814f620869941fc9c33cc3aecb34c758dd8dc45ba22d91
                                                          • Opcode Fuzzy Hash: 0ef1217963bc5369e530805c846e4e35e9f3bfe495b111f51aa893b008085351
                                                          • Instruction Fuzzy Hash: FE824961A0DA4285FB41EF25D8513BA37A0AF95B84F864139EA4E5F3B6EF3CF4419340
                                                          Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ErrorFormatLastMessage
                                                          • String ID: GetLastError() = 0x%X
                                                          • API String ID: 3479602957-3384952017
                                                          • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                          • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                          • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                          • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                          Function 00007FFE013044E0 Relevance: 5.0, APIs: 3, Instructions: 509COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE01301E70: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE01301F72
                                                            • Part of subcall function 00007FFE01307600: _lock_locales.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FFE012D3887,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00007FFE0130760F
                                                          • _Gettnames.API-MS-WIN-CRT-TIME-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66,?,?,?,?,?,?,?,00007FFE012DF7E7), ref: 00007FFE01304BCF
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66,?,?,?,?,?,?,?,00007FFE012DF7E7), ref: 00007FFE01304BE4
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,0000003F,00000000,?,0000003F,?,00007FFE012DFE66,?,?,?,?,?,?,?,00007FFE012DF7E7), ref: 00007FFE01304BF3
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Gettnames_invalid_parameter_noinfo_noreturn_lock_locales
                                                          • String ID:
                                                          • API String ID: 962949324-0
                                                          • Opcode ID: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                          • Instruction ID: 60f25cabc2a0f077097044d4cba8dff2f7b8207046c23d2e4aa091b9eabe0519
                                                          • Opcode Fuzzy Hash: 9043c148ef2010f2f70542ae66fbae61dbafe72389065f2e9820c01ca38feb3f
                                                          • Instruction Fuzzy Hash: 6C324F65A09A0285FB42DF65D8612B537E0BF54B84F8A4039EA4E4F7B6EF3CF6418344
                                                          Function 00007FFE012F4340 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F46ED
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F473B
                                                            • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                          • Instruction ID: a358dc986d1b9e19c34ebc3f7b1bbfb93985f89e5c690f702f5319da03e52c13
                                                          • Opcode Fuzzy Hash: 1817784f6398934f17b5c1fc1ff89bd583d97d098454ec25b1b77ff5e7fd5979
                                                          • Instruction Fuzzy Hash: 81D19D22B09B8685FB10DFA5E4002AD7372EB99B98F414136DE4D2BBA8DF7CD545D340
                                                          Function 00007FFE012F3F00 Relevance: 3.3, APIs: 2, Instructions: 297COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F42AD
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE012F42FB
                                                            • Part of subcall function 00007FFE012FEBA4: memmove.VCRUNTIME140(?,?,?,?,?,00007FFE012E923E), ref: 00007FFE012FEC08
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memmove
                                                          • String ID:
                                                          • API String ID: 15630516-0
                                                          • Opcode ID: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                          • Instruction ID: 04d54e026f9dcc3f7d0da72c328494dce16321c423b3816df2bcc020f2e0b39b
                                                          • Opcode Fuzzy Hash: 70949c3398483ff70a12550df118893d792e665d376b62c76c52efba2ac503dc
                                                          • Instruction Fuzzy Hash: 13D19E22B09B8285FB10DFA5D4402AD7372EB99B98F454136DE4D2BBA8DF3CE545D340
                                                          Function 00007FFE012E60D0 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                          • String ID:
                                                          • API String ID: 1654775311-0
                                                          • Opcode ID: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                          • Instruction ID: f95d4a03c3b7b495d1b6f502de8a7ca50ff5384830e52a9edfd0ac424990b9aa
                                                          • Opcode Fuzzy Hash: 3bb2f117e79a6117f4b3e6bec958f3e8dd8a5256ef2b4fbbdb6ff607e8307e28
                                                          • Instruction Fuzzy Hash: 72A19D62F0D69285FB109BA598506BC37A1BBA5F98F554035DE4D2FBA9CF3CE481E300
                                                          Function 00007FFE012E6440 Relevance: 3.3, APIs: 2, Instructions: 251COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                          • String ID:
                                                          • API String ID: 1654775311-0
                                                          • Opcode ID: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                          • Instruction ID: c9e1ac4d1097c3fe67cf72d8d0b752e26f0be1b9a5640c6d366ee6ca7c7eda55
                                                          • Opcode Fuzzy Hash: bf0ab77b0a149fc6d94544591d1063178ea26d8df0c271da4e2e244d29e0210e
                                                          • Instruction Fuzzy Hash: 1AA1BF62F086A289FB109B65A4506BC37B1FBA5B98F554035DE4D1FBA9DF3CA481E300
                                                          Function 00007FFE012DA7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: DiskFreeSpace_invalid_parameter_noinfo_noreturnmemcpymemmove
                                                          • String ID:
                                                          • API String ID: 1762017149-0
                                                          • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                          • Instruction ID: 400c8b6f1c3f60da761f37db1a30001c90995c3f70e8721cc6385c4c1062a641
                                                          • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                          • Instruction Fuzzy Hash: B7415832B04B8198FB00CBA1D8416EC27B5BB88BA8F555626CE5D67BA8DF3CD185C340
                                                          Function 00007FFE012FEFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: InfoLocale___lc_locale_name_func
                                                          • String ID:
                                                          • API String ID: 3366915261-0
                                                          • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                          • Instruction ID: c9afd9bfa564ff51c22d1364f9a4d11f8e1146bfba0813409f6ac03efee6fdda
                                                          • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                          • Instruction Fuzzy Hash: F8F08C33E2C08382F3A85B18D6587782260FB95B05F40003EE10F6A6B8CF6CE544A741
                                                          Function 00007FFE012F0710 Relevance: .4, Instructions: 410COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                          • Instruction ID: a1d6c9f3f130e96928a9ecf3d9ac4dfa4fdeddd6c78ad1b6f560d63523287f36
                                                          • Opcode Fuzzy Hash: 490b69e3f64545fc7107fda2974fd4c758ae200a4b3fb0a3bcced098a6adbd7f
                                                          • Instruction Fuzzy Hash: 85026026A09A8785EB608F15C45037D33A2FB85F88F559035EA4E2B3B6DF3CD846E314
                                                          Function 00007FFE01302880 Relevance: .4, Instructions: 391COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                          • Instruction ID: 9b5cdd0eebcb3f5b8c36fb6d8ba9b0b7bea0124fb8a74adef33a7725899b3628
                                                          • Opcode Fuzzy Hash: 273c5d5c9889e952b952b96b3bc08a476687163d48385abf90dbb02fbf949202
                                                          • Instruction Fuzzy Hash: 3F025F22A09A4689EB528F69C46437E37E1EB54F98F569036CA4D4F7B5CF3DD882C310
                                                          Function 00007FFE012DF9B0 Relevance: .3, Instructions: 331COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _lock_locales
                                                          • String ID:
                                                          • API String ID: 3756862740-0
                                                          • Opcode ID: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                          • Instruction ID: 0a2dedfa2c0f746c5d5ae0f45327bfb3f9957d3c2d23aa4ca4e474514b7026dc
                                                          • Opcode Fuzzy Hash: 85b2e6f20d520520c454e61672524edf6e50b3cd1591f460d66584399821aa3d
                                                          • Instruction Fuzzy Hash: A0E18721A09A4386EB16DF25E9502B932E0EF94BD0F564135E98E4F7B6EF3CF4429344
                                                          Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.VCRUNTIME140 ref: 000000014000475B
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                            • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                          • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                            • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                          • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                          • API String ID: 2423274481-1946953090
                                                          • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                          • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                          • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                          • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                          Function 00007FFE1A538C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                          • API String ID: 2943138195-1388207849
                                                          • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                          • Instruction ID: a74bfa1425be8e96dd24e5497d60fb17a66e5bb6bc34b32ef3846cb1a1208c0c
                                                          • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                          • Instruction Fuzzy Hash: 59F16EB2F1CE1294F7198B66D8542BC26B0BF82B64F4045FBCA1D56AB8DF3DA644C740
                                                          Function 00007FFE1A53C3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: `anonymous namespace'
                                                          • API String ID: 2943138195-3062148218
                                                          • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                          • Instruction ID: 5d80b17ffae3e599e4e4ee055236bd712223455a7a67871aac9c12fc7558e52c
                                                          • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                          • Instruction Fuzzy Hash: 24E12972A0CF8695EB10CF26E4802BD77A0FB86B54F4480B6EA4D57B65EF38E554C700
                                                          Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                          • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                          • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                          • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                          • String ID: (
                                                          • API String ID: 703713002-3887548279
                                                          • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                          • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                          • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                          • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                          Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                          • String ID: [NOT FOUND ] %s
                                                          • API String ID: 2350601386-3340296899
                                                          • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                          • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                          • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                          • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                          Function 00007FFE1A53A83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                          • Instruction ID: accf7b66260b36f056dd3b3a3c587051a8ac1890e43df09590fc01197bf6995f
                                                          • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                          • Instruction Fuzzy Hash: FCF17B72F0CA829AE711DF66D4901FC37B0AB86B58F4440F6EB4D67AA9DE38D519C340
                                                          Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                          • String ID:
                                                          • API String ID: 1818695170-0
                                                          • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                          • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                          • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                          • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                          Function 00007FFE1A53D20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                          • API String ID: 2943138195-2309034085
                                                          • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                          • Instruction ID: abdef68fee57e12a9e820628bd85960d1f71e23e4ef79095c2ffd812cbc038f9
                                                          • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                          • Instruction Fuzzy Hash: 4AE18C63F0CE5294FB159B6699541FC27B0AF92F64F4409F7DA0E17AB9DE3CA9088340
                                                          Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                          • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                          • API String ID: 140832405-680935841
                                                          • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                          • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                          • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                          • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                          Function 00007FFE1A532CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 3436797354-393685449
                                                          • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                          • Instruction ID: cfcbaf154ffb819716330ac0142327a91cc2e5afd221a82b6249c5b13df94228
                                                          • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                          • Instruction Fuzzy Hash: DCD15E76B0CB4186EB109B66D4412BD77A4FF96BA8F0001B6DE8D57B66CF38E494C700
                                                          Function 00007FFE012D26E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                          • String ID:
                                                          • API String ID: 3420081407-0
                                                          • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                          • Instruction ID: 03ade9dd95e29c7e3a0fa10b11562d9147b2de52054919fe484d249022409bde
                                                          • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                          • Instruction Fuzzy Hash: F7A1D072A08683C6FB358F20C5003BA66D1EF84BA4F598231DA9D5EBE4DF3CE5459352
                                                          Function 00007FFE012E692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E6971
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E698E
                                                          • _Maklocstr.LIBCPMT ref: 00007FFE012E69AA
                                                          • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E69B3
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA87E), ref: 00007FFE012E69D0
                                                          • _Maklocstr.LIBCPMT ref: 00007FFE012E69EC
                                                          • _Maklocstr.LIBCPMT ref: 00007FFE012E6A01
                                                            • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                            • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                            • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE012E69DB
                                                          • :AM:am:PM:pm, xrefs: 00007FFE012E69FA
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012E6999
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                          • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 2460671452-35662545
                                                          • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                          • Instruction ID: d996e843333251ec09f4318feb0690a4e4d20de808819430a2e2125768a33762
                                                          • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                          • Instruction Fuzzy Hash: 5F213032E08B4282EB10DF21E4542A973A1FBA9F94F454235DB4D5B76AEF3CE585C380
                                                          Function 00007FFE012D2B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                          • String ID:
                                                          • API String ID: 1733283546-0
                                                          • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                          • Instruction ID: 466b6e293d749c21daa2e829c63b123a536a834e2871068326681afb7eced456
                                                          • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                          • Instruction Fuzzy Hash: 24919132A08B82C6EB208F11D44077A77E1FB94BA8F544235EA9D5BBE8DF7CE5459700
                                                          Function 00007FFE01309350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                          • String ID:
                                                          • API String ID: 3166507417-0
                                                          • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                          • Instruction ID: 033a00515b61a03d448d612e33d0db01f1d5f86c9569008e22c9b6a491dac280
                                                          • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                          • Instruction Fuzzy Hash: 36618422F085429AF712DAE2D4902FD27A1AB5474CF524139DE0D6BBA6DE3DE50AC700
                                                          Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                          • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                          • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                          • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                          • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                          • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                          • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                          • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                          • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                          • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                            • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                            • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                            • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                            • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                            • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                          • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                          • String ID:
                                                          • API String ID: 2702579277-0
                                                          • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                          • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                          • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                          • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                          Function 00007FFE01319BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                          • Instruction ID: 4bf4acb633d8c11482d61b3eafabcebb4fea7e69ef3b6aecb13286d7906d5ebb
                                                          • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                          • Instruction Fuzzy Hash: 9391C032A18A46C5EF64DB19E4913B937A0FB94F98F868036CA4E0B7B5DF2DD446C340
                                                          Function 00007FFE1A53E350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                          • API String ID: 0-3207858774
                                                          • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                          • Instruction ID: 8f065517ab70d0ae427be357836a4a98134a18e91ecd485643e0fb1f1122e358
                                                          • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                          • Instruction Fuzzy Hash: E2913962B0CE8699EB118B22E4502BC37E1AF96FA4B4840F6DE4D037A5EF3CE505D750
                                                          Function 00007FFE1A53A13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+$Name::operator+=
                                                          • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                          • API String ID: 179159573-1464470183
                                                          • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                          • Instruction ID: 6a2766d51977583a39626436be29324422dba0c85a325b472a095d8587eff7ad
                                                          • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                          • Instruction Fuzzy Hash: 97513A31F1CE6699FB14CB66E8405BC37B0BF46BA4F5041BAEA0D57A68EF2AD541C700
                                                          Function 00007FFE0130B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                          • String ID:
                                                          • API String ID: 3781602613-0
                                                          • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                          • Instruction ID: 2700a91e2ba12d49783791975b32591f0156896a651a49214e5b3b373edb1ebe
                                                          • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                          • Instruction Fuzzy Hash: ED61F626F085469AF712DFE1C4A02FD67A1AB54748F524539DE0D3BBA9DE3CE50AC700
                                                          Function 00007FFE1A5388E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                          • Instruction ID: 629e02eea09fd4d18619713f9e6fc1c533e88526bd0e2091754f5c20e8f3d606
                                                          • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                          • Instruction Fuzzy Hash: C3615062F08F5698F701DBA2D8801FC27B1BF85BA8B4044B6EE4D6BA69DF78D545C340
                                                          Function 00007FFE1A5331A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                          • String ID: csm$csm$csm
                                                          • API String ID: 211107550-393685449
                                                          • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                          • Instruction ID: c3993220d239acd2e0d04f3a0dc45fd37d4f02613580c51f2be66476aaeff4e1
                                                          • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                          • Instruction Fuzzy Hash: C6E17372B0CA818AE7109F66D4802BD7BA1FF86F68F1441B6DA9D47766DF38E485C700
                                                          Function 00007FFE0130A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchrtolower$_errnoisspace
                                                          • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 3508154992-2692187688
                                                          • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                          • Instruction ID: 89b8b8290ea1178db5f8f89e0b72bc005d89ad8b92c61596034c61661d1e9166
                                                          • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                          • Instruction Fuzzy Hash: 4E512722A0D7D645EB268FA4B8203B976D07F55BE0F4A4038CD9D4F7A5DF3CA9428301
                                                          Function 00007FFE1A53BE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                          • API String ID: 2943138195-2239912363
                                                          • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                          • Instruction ID: 5ca46681bb3f7eb7439df5bacf718e3a570f5ee832898dc38f2dfaa22618fc2a
                                                          • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                          • Instruction Fuzzy Hash: 2A514962F1CF9598FB118B62D8412BC77B0BF8AB64F4540FACA4D12AA5EF3C9144C710
                                                          Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_CEvent_
                                                          • API String ID: 2242036409-942587184
                                                          • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                          • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                          • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                          • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                          Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_SEvent_
                                                          • API String ID: 2242036409-1609572862
                                                          • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                          • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                          • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                          • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                          Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_CmdMap_
                                                          • API String ID: 2242036409-3276274529
                                                          • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                          • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                          • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                          • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                          Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                          • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                          • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                            • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                            • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                            • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                            • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                            • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                            • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                          • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                          • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                          • String ID: ImptRED_DMap_
                                                          • API String ID: 2242036409-2879874026
                                                          • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                          • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                          • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                          • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                          Function 00007FFE012D6C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 1099746521-1866435925
                                                          • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                          • Instruction ID: 97a17ee5f0f70926f1d1d13e73c3f24de56a661bbc9da200bc37e30f21a67f7b
                                                          • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                          • Instruction Fuzzy Hash: 2621C161E1950BA5EF14E710E8866FA23A1FFB0740F984036D58E0E5B6EF2DE149D741
                                                          Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                            • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                            • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                          • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                            • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                          • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                          • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                          • String ID: MRDH$SideCarLut
                                                          • API String ID: 916663099-3852011117
                                                          • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                          • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                          • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                          • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                          Function 00007FFE01319940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                          • Instruction ID: 4efadb8599297638e2d754eb113ead64accda5fb0a33a64403f38d365d060119
                                                          • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                          • Instruction Fuzzy Hash: A8619F22A08A46C5EF64DB15E4A13B97760FB94F98F568036CA4E4B7B5DF2DD44AC300
                                                          Function 00007FFE012E43F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 1428583292-1866435925
                                                          • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                          • Instruction ID: d1dca043b3b13659ccad22122f4e7f7b45402261d9aa742a60f9fdc483a7b144
                                                          • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                          • Instruction Fuzzy Hash: 8C71B173A08A82D9EB50DF25E4802BD33A0FB94B88F954032EA4D8BB68DF3DD555D740
                                                          Function 00007FFE1A535F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                          • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                          • API String ID: 1852475696-928371585
                                                          • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                          • Instruction ID: 013cd142a6995ac864fa583159ae1beaf80749e4ddf302ae3493ce6572dbce35
                                                          • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                          • Instruction Fuzzy Hash: 9551AE62B1CE4696DA20CB26E4912BA6360FF85FA8F0054F6DA4E07A75EF3CE105C300
                                                          Function 00007FFE013196E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE013198D3
                                                          • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0130C678), ref: 00007FFE013198E4
                                                          • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE01319927
                                                          • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0130C678), ref: 00007FFE01319938
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                          • Instruction ID: 02b81eea3190659a65618eed90352b9552b4e2289c5eb2de8683dcd8d46b0ece
                                                          • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                          • Instruction Fuzzy Hash: DD617B22A08A46C5EB64DB19D4A13B93BA0FF94F98F468036CA4E4B7B5DF2DD446C341
                                                          Function 00007FFE01309E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memchrtolower$_errnoisspace
                                                          • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                          • API String ID: 3508154992-4256519037
                                                          • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                          • Instruction ID: 924b6efaceab18c9d4edc0677a41bf7d6a47414d5b76816da63a431a698314f0
                                                          • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                          • Instruction Fuzzy Hash: 4E512C22A0D78646F7229E64A4203B976D1BF54B99F0A403CDD8D4B7B6DF3CE846C700
                                                          Function 00007FFE1A53E148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+$Name::operator+=
                                                          • String ID: {for
                                                          • API String ID: 179159573-864106941
                                                          • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                          • Instruction ID: 2f68bad466aacad969667c7b83dca1f850f10dba4ab56afa6acb3d17ffcba425
                                                          • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                          • Instruction Fuzzy Hash: 24513972B0CA85A9E7119F26D4413FC63A1EB86B68F4480F6EA4C47BA5EF7CE554C310
                                                          Function 00007FFE012DB280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                          • Instruction ID: 9b424ca3cd4f36dfc650c6de72f4b0bfc1f07da4876aeda759bbc9f0bbf40854
                                                          • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                          • Instruction Fuzzy Hash: 0951BB32A08A4A81EF50DB19D4D12A973A0FF94B98F564132DA9E8B7B4DF3CE845D340
                                                          Function 00007FFE1A5368AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536931
                                                          • GetLastError.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53693F
                                                          • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A536958
                                                          • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A53696A
                                                          • FreeLibrary.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369B0
                                                          • GetProcAddress.KERNEL32(?,?,?,00007FFE1A536A6B,?,?,00000000,00007FFE1A53689C,?,?,?,?,00007FFE1A5365E5), ref: 00007FFE1A5369BC
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                          • String ID: api-ms-
                                                          • API String ID: 916704608-2084034818
                                                          • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                          • Instruction ID: 6bee55ca76f33367972f73decf52de0ff214f3acd376dc3f719c00d5ae84bead
                                                          • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                          • Instruction Fuzzy Hash: 66319222B1EF4295EE159B0398001B662A4BF86FB0F5945FADD1E077A4EF3CE144C320
                                                          Function 00007FFE013012C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE01301309
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE01301326
                                                          • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE0130134B
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE01301368
                                                            • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                            • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                            • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01301373
                                                          • :AM:am:PM:pm, xrefs: 00007FFE01301392
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01301331
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                          • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 1539549574-35662545
                                                          • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                          • Instruction ID: 953b881eb36bfb2449f6e5069d28aff4e27fef90f824736f94d08e080fa4729d
                                                          • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                          • Instruction Fuzzy Hash: 4F214136A04B4182EB10DF21E4542A973A1FF99F94F468235DB4D4B766EF3CE585C380
                                                          Function 00007FFE012E6A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6A5E
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6A7B
                                                          • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6A9B
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012E6AB8
                                                            • Part of subcall function 00007FFE012D4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4DF9
                                                            • Part of subcall function 00007FFE012D4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E28
                                                            • Part of subcall function 00007FFE012D4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E3F
                                                          Strings
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012E6A86
                                                          • :AM:am:PM:pm, xrefs: 00007FFE012E6AD4
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE012E6AC3
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemcpy
                                                          • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 1539549574-3743323925
                                                          • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                          • Instruction ID: 1c58456a21a3ef6d3ae598be053b19ee848bbcb483eccf8dce16da8c04588139
                                                          • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                          • Instruction Fuzzy Hash: 74213132D08B4282EB20DF21E45427973B0FBA9B94F455234DA4E5B766EF7CE584C740
                                                          Function 00007FFE1A5325E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$AdjustPointer
                                                          • String ID:
                                                          • API String ID: 1501936508-0
                                                          • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                          • Instruction ID: b8b84502707dbb4a39dd8ddb30bd53527bc5a15179d70697402766f6ae676e2b
                                                          • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                          • Instruction Fuzzy Hash: B9515AA2B0EE4281EA659B17954463C6394BFA6FE4B1584FBDA4E067A5DE3CE441C300
                                                          Function 00007FFE1A5327CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$AdjustPointer
                                                          • String ID:
                                                          • API String ID: 1501936508-0
                                                          • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                          • Instruction ID: 4c12f51f128d9c81e1833d6a26f9b931d0a21b71dd5c548733415ccb8a2fd3ae
                                                          • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                          • Instruction Fuzzy Hash: DA519062F0DF4291EA658B17944463CA394AFA6FE0F0984FBDA4E067A5DF7CE481C310
                                                          Function 00007FFE01309950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                          • String ID:
                                                          • API String ID: 578106097-0
                                                          • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                          • Instruction ID: 0c02f1710fd6c2823f6052303a20d4229443865d517f3b0122be3017f4dbf859
                                                          • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                          • Instruction Fuzzy Hash: 90610A22F1CA4286EB12DF91E4907BE67A0FB84754F51413AEE4D1B7A6DE3CE549C700
                                                          Function 00007FFE013090D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                          • String ID:
                                                          • API String ID: 578106097-0
                                                          • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                          • Instruction ID: 8f8e437d39758ef65fccfb4dbf4130aa6050519f76ecd8e3cd58ea4cc0ad809f
                                                          • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                          • Instruction Fuzzy Hash: EC61F722F1C54282E712DFA1E4907BE67A0FF94744F52013AEE4E5B6A6DE3CE546CB00
                                                          Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                            • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                            • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                          • memmove.VCRUNTIME140 ref: 000000014000C3C8
                                                          • memmove.VCRUNTIME140 ref: 000000014000C427
                                                            • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                            • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$memmove$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                          • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                          • API String ID: 1084872782-103080910
                                                          • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                          • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                          • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                          • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                          Function 00007FFE1A535520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHeader_local_unwind
                                                          • String ID: MOC$RCC$csm$csm
                                                          • API String ID: 2627209546-1441736206
                                                          • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                          • Instruction ID: 98af42da1edb0a369400b7acc8aacb75340877a401e8efc4a43537c8acc532d0
                                                          • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                          • Instruction Fuzzy Hash: B5515F72B0DA118AEA609F37904137D66A0FFC6FA8F5420F7EA4D467A5DE3CE4418A01
                                                          Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                          • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                          • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                          • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                          • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                          • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                          • String ID:
                                                          • API String ID: 1492985063-0
                                                          • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                          • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                          • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                          • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                          Function 00007FFE012DBA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB38
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB48
                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB5D
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB91
                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBB9B
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBBAB
                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBBBB
                                                            • Part of subcall function 00007FFE013225AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5AF8), ref: 00007FFE013225C6
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                          • String ID:
                                                          • API String ID: 2538139528-0
                                                          • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                          • Instruction ID: ccc3f9e203f92c69eabc5468e466859a478a0eb73cfb002282df873b722e9f78
                                                          • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                          • Instruction Fuzzy Hash: DB41E432B08A8291EF14EB16E8142AAA351FB85BC4F554532EF5D0FBAADE7CD041D341
                                                          Function 00007FFE012E58B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2924853686-1866435925
                                                          • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                          • Instruction ID: 94236a99da15243a6010e2be58c98065c7613529d6971494aeb0de6f4dec5813
                                                          • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                          • Instruction Fuzzy Hash: 5941AD72A28B8696EB54CF25E5403A933E0FB64B98F544131DB4C4B6A9DF3CE5A4C780
                                                          Function 00007FFE012E2FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: CurrentThread$xtime_get
                                                          • String ID:
                                                          • API String ID: 1104475336-0
                                                          • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                          • Instruction ID: 3cd050f3313de52465f0037c4c81d34e3aada4b2924f751427463620b7aeadb2
                                                          • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                          • Instruction Fuzzy Hash: 49410832A0CA4786EB60DB16E44027977E0FB94B56F518032CB4E8B6B5DF3DE885D701
                                                          Function 00007FFE012F3B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012F3B56
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • _Maklocstr.LIBCPMT ref: 00007FFE012F3BCF
                                                          • _Maklocstr.LIBCPMT ref: 00007FFE012F3BE5
                                                          • _Getvals.LIBCPMT ref: 00007FFE012F3C8A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                          • String ID: false$true
                                                          • API String ID: 2626534690-2658103896
                                                          • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                          • Instruction ID: 7478850f57c47a99beb2a1cd0f7a63fa0af0688cc8110ad0952ff6669ec937e3
                                                          • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                          • Instruction Fuzzy Hash: 3A415C36B08A819AF711DF74E4502ED33B0FB98748B45522AEE4D2BA69EF3CD556C340
                                                          Function 00007FFE1A53D740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: NameName::atol
                                                          • String ID: `template-parameter$void
                                                          • API String ID: 2130343216-4057429177
                                                          • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                          • Instruction ID: 8f50cac90c26c8a1d22a0b8bc4d53e193e35bae95b6bd2238095fd8f5ccf0a26
                                                          • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                          • Instruction Fuzzy Hash: AF414922F0CF5688FB009BA2D8512BC2371BF4ABA4F5454BACE0D17A65EF78A509C350
                                                          Function 00007FFE1A538624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                          • API String ID: 2943138195-2211150622
                                                          • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                          • Instruction ID: dfee26fb4fea986748f878a99bbc57f1da13dbde16fa75e52a9c869253554502
                                                          • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                          • Instruction Fuzzy Hash: 25413772B1CF8688FB168B66E8402BC37A0BF4AB58F4441BADA4D53764EF3CA545C750
                                                          Function 00007FFE1A53A31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: char $int $long $short $unsigned
                                                          • API String ID: 2943138195-3894466517
                                                          • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                          • Instruction ID: 8db53833b7a01839e029b66513b7da1be11942a1800b005db6759b0eca91be54
                                                          • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                          • Instruction Fuzzy Hash: 65414932F1CA6689F7158B6AE8441BC37B1BF8AB64F4481F6CA0C56B68DF3D9544C710
                                                          Function 00007FFE012DC0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                          • String ID:
                                                          • API String ID: 3009415009-0
                                                          • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                          • Instruction ID: 854f8db8d62ba2c8760b1178e32babb3f88cec59ef0f07a70614b44acdfded75
                                                          • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                          • Instruction Fuzzy Hash: E2E18E22B09B8685FB10DBA5D4402AC33B1FB88B98F514135DE9D2BBA9DF3CD54AD300
                                                          Function 00007FFE013000EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Dunscale$_errno
                                                          • String ID:
                                                          • API String ID: 2900277114-0
                                                          • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                          • Instruction ID: 501cc2a511f7d4584444cda4ec489159804120fe5d4ed9bb5fdc85c596da458a
                                                          • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                          • Instruction Fuzzy Hash: 51A10433E086869BE70ACEA685902BD6391FF553C8F564338F70A2A1E5DF3CB0959740
                                                          Function 00007FFE013086F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Dunscale$_errno
                                                          • String ID:
                                                          • API String ID: 2900277114-0
                                                          • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                          • Instruction ID: a42470cbbdecd94d42c35edfb266275cd6764c12749123c24744342e3266e570
                                                          • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                          • Instruction Fuzzy Hash: 00A11723D18E8A86E706DEB485601BD17A2FF567D4F514379EA4E2E5A5EF3CE0928300
                                                          Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$memcpy$_invalid_parameter_noinfo_noreturn
                                                          • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                          • API String ID: 100741404-1215215629
                                                          • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                          • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                          • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                          • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                          Function 00007FFE012D8F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: fgetc
                                                          • String ID:
                                                          • API String ID: 2807381905-0
                                                          • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                          • Instruction ID: 5c2d93fd9551d56d0bafe9e7db239aa6b2048fa6161b48b889e8d76567ff2fe7
                                                          • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                          • Instruction Fuzzy Hash: 90913B72605A42C9EB108F35D4942AC33A1FB98B9CF551236EA4E4BBA9DF3ED594D300
                                                          Function 00007FFE0130B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                          • String ID:
                                                          • API String ID: 3490103321-0
                                                          • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                          • Instruction ID: fd14722d1b4bfca783929a32ed3f70ee6e157fa66ab204fd7c91ce9b4d2832e0
                                                          • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                          • Instruction Fuzzy Hash: AC610926F1CA4287E722DF91E4906BEA7A0FB94744F51413AEE4D1B7A9DE3CE449C700
                                                          Function 00007FFE0130B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                          • String ID:
                                                          • API String ID: 3490103321-0
                                                          • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                          • Instruction ID: 8ea0b75d6a4dcabfb262bcabda3646ca16ee1f6b5d0889214450ae34bb228609
                                                          • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                          • Instruction Fuzzy Hash: 6A612B26F1C54282E712DF91E4906FEA7A0FF95744F51013AEE4D5BAA9DF3CE44A8700
                                                          Function 00007FFE012D9A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 1775671525-0
                                                          • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                          • Instruction ID: 4ac55cb4741cc84bd7f2e8a8a43313f514bd41e52319079668081b652d940be4
                                                          • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                          • Instruction Fuzzy Hash: E241E67271864691EF14DB16E8042AAA391EB44FE4F554631EFAD0FBE5EE3CE081D301
                                                          Function 00007FFE012DA000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHandle$CloseCreateInformation
                                                          • String ID:
                                                          • API String ID: 1240749428-0
                                                          • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                          • Instruction ID: 9847f1b01f3c2c94c28c08b2e3446aa3bfa4b563d3f01bd425a4060935356f74
                                                          • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                          • Instruction Fuzzy Hash: 42419332F086428AF760CF75E8517B933A0AB947A8F019735ED5C4BAA4DF3CD5958740
                                                          Function 00007FFE1A5362D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                          • String ID:
                                                          • API String ID: 3741236498-0
                                                          • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                          • Instruction ID: 441f241423cfb34a15b79d0cf8f282f0e25f341d526130a1db0268484af0c1fc
                                                          • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                          • Instruction Fuzzy Hash: AC31B221B1DB9590EA118B27A80457A73A0FF8AFE4B5555FADE2D037A0EE3DD442C310
                                                          Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                          • String ID:
                                                          • API String ID: 2153537742-0
                                                          • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                          • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                          • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                          • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                          Function 00007FFE012D2F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2F59
                                                          • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2F6B
                                                          • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2F7A
                                                          • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2FE0
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D2FEE
                                                          • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE012D5F96), ref: 00007FFE012D3001
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                          • String ID:
                                                          • API String ID: 490008815-0
                                                          • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                          • Instruction ID: b848e591e5d025739749442dc40ba7ce9521494a6fd2e7fbf398f0ea8b64074a
                                                          • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                          • Instruction Fuzzy Hash: 66213E62D18B8583E7059F38D5052B873A0FBA9B49F15A224CF8C1A222EF7DF6D5C340
                                                          Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: CloseHandle$FileUnmapView
                                                          • String ID:
                                                          • API String ID: 260491571-0
                                                          • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                          • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                          • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                          • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                          Function 00007FFE1A5338A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 2889003569-2084237596
                                                          • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                          • Instruction ID: 55dbf0f9a6f14d12056fcb565902045fecf3254740b3f942bf11110ca60b9df2
                                                          • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                          • Instruction Fuzzy Hash: C6916373B08B858AE710CB66E4402BD7BA0FB45BA8F1441AAEE8D57765DF38D195C700
                                                          Function 00007FFE1A53BB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                          • API String ID: 2943138195-757766384
                                                          • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                          • Instruction ID: 9f74497f2fc56d1a7475553cacc5e65d7be2e0b4612b24877036a67dda4f10f9
                                                          • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                          • Instruction Fuzzy Hash: AE716C71B0CE8684EB248F26D9552BC66A0BF46BA4F4445FBDA4D07AB9DF3CA250C310
                                                          Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                            • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                            • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                          • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                          • API String ID: 3207467095-2931640462
                                                          • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                          • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                          • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                          • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                          Function 00007FFE1A533690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CallEncodePointerTranslator
                                                          • String ID: MOC$RCC
                                                          • API String ID: 2889003569-2084237596
                                                          • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                          • Instruction ID: 1a411bf3eebd0cf35ff1481b0f3d1a66eb583ef3b722ff249820aa8b9cc95aa6
                                                          • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                          • Instruction Fuzzy Hash: C7617976B09B858AE714CF66D0803BD77A0FB85BA8F0442A6EE4D17B69CF78E155C700
                                                          Function 00007FFE0130BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0130B212), ref: 00007FFE0130BBFE
                                                          • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0130B212), ref: 00007FFE0130BC0F
                                                          • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0130B212), ref: 00007FFE0130BC76
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: iswspace$iswxdigit
                                                          • String ID: (
                                                          • API String ID: 3812816871-3887548279
                                                          • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                          • Instruction ID: e6fa179b95cf3ff185fe2fc6f3aac53f9d6ffd3322a4df5ee2bf55db3a09f1e8
                                                          • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                          • Instruction Fuzzy Hash: C051C66AD04553C2EF259FA1D5242FAF2E5EF20B84F4A8039DA494E0B8FF3DE841D211
                                                          Function 00007FFE01309CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309CFA
                                                          • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309D0B
                                                          • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309D64
                                                          • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01309122), ref: 00007FFE01309E14
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: isspace$isalnumisxdigit
                                                          • String ID: (
                                                          • API String ID: 3355161242-3887548279
                                                          • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                          • Instruction ID: ddcc190cd7882eb24c4b6642996ba14ea032fda5fd9553a23dbbd53b457c1fe6
                                                          • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                          • Instruction Fuzzy Hash: 2E41C517D0C18256EB224FB1A9753F56BD29F25B88F0AA039CA9C0F1A7DE1DEC06C711
                                                          Function 00007FFE012F39E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE012EA22C), ref: 00007FFE012F3A25
                                                            • Part of subcall function 00007FFE012DB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7BF
                                                            • Part of subcall function 00007FFE012DB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7DB
                                                          • _Getvals.LIBCPMT ref: 00007FFE012F3A61
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                          • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                          • API String ID: 3848194746-3573081731
                                                          • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                          • Instruction ID: ef6788c1b185db575d8ac64797a6d61dfc9d644ba37ebaeb0323322c5fe37dfd
                                                          • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                          • Instruction Fuzzy Hash: 0C41CD32A08BC297E724CF22D19056D7BA0FB86781B054239DB8967E21DF7CF566DB00
                                                          Function 00007FFE012F3CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012F3CE2
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • _Maklocstr.LIBCPMT ref: 00007FFE012F3D5B
                                                          • _Maklocstr.LIBCPMT ref: 00007FFE012F3D71
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                          • String ID: false$true
                                                          • API String ID: 309754672-2658103896
                                                          • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                          • Instruction ID: c7479058d66a42e7cdccc8b6aee281f22f470a52c986f3ab8bb9e0bea09fe002
                                                          • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                          • Instruction Fuzzy Hash: 13416A26B18B459AE710DFB0E4501ED33B0FB98748B415126EE4D2BB69EF3CD595C390
                                                          Function 00007FFE012D83E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                          • Instruction ID: c1ce28ad8ad113b2ee44a712aea37ef0fb0df18ec9d87f10b60bba69810f0c47
                                                          • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                          • Instruction Fuzzy Hash: F921C262A0868796EF14DB25E5413B963A0FFA0784F844035E78D4FAB5DF3CE1A5D340
                                                          Function 00007FFE012D8D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                          • API String ID: 2003779279-1866435925
                                                          • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                          • Instruction ID: 4a510f2d8903fa1e67bf62fcfe4ede6903bd7b0820d8c1bb3292bbe7d7d32692
                                                          • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                          • Instruction Fuzzy Hash: 7FF0D161A1850B96EF18E710D8826F92361FBA0744FA44531D28E0F5F5EF3DE14AC781
                                                          Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                          • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                          • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                          • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                          • String ID:
                                                          • API String ID: 3275830057-0
                                                          • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                          • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                          • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                          • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                          Function 00007FFE012E4A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: fgetwc
                                                          • String ID:
                                                          • API String ID: 2948136663-0
                                                          • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                          • Instruction ID: 38e42cc01f34616d9fff52603d292eb9ce3a649526e1bbefd883eef4b4f3d175
                                                          • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                          • Instruction Fuzzy Hash: 05813F72A09A82C8DB10DF65C0903AC33E1FB98B98F555636EA4D8BBA9DF3DD554D300
                                                          Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 2665656946-0
                                                          • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                          • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                          • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                          • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                          Function 00007FFE012DB90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DB9D3
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DB9E1
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBA1A
                                                          • memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBA24
                                                          • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01301347), ref: 00007FFE012DBA32
                                                            • Part of subcall function 00007FFE013225AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5AF8), ref: 00007FFE013225C6
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpymemset$_invalid_parameter_noinfo_noreturnmalloc
                                                          • String ID:
                                                          • API String ID: 3375828981-0
                                                          • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                          • Instruction ID: 5b6d50271de4be59124b76868fa4fdc8408e79e605fb5ae3fb8306f79e14092a
                                                          • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                          • Instruction Fuzzy Hash: 1531D421B0868391EF14AF16E5143BAA391FB45BD0F594531EF9D0FBAADE7CE0819301
                                                          Function 00007FFE1A539FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: NameName::$Name::operator+
                                                          • String ID:
                                                          • API String ID: 826178784-0
                                                          • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                          • Instruction ID: 609a5f5545df136b8435a2d2338e33e32412857adb40e1dcaf06d2dd9b2951fc
                                                          • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                          • Instruction Fuzzy Hash: FC412722F0DE9688EB10CB22D8801B837A4BF96FA0B5440F7DA5D537A5EF39E955C300
                                                          Function 00007FFE012D4C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE012E2160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE012D4C3E,?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012E216F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C47
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C5B
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C6F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C83
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4C97
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5B5B), ref: 00007FFE012D4CAB
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$setlocale
                                                          • String ID:
                                                          • API String ID: 294139027-0
                                                          • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                          • Instruction ID: 02be1a525fa9713a1af93c4f78f6452b9bf9a4c3b3c1009480e0544d25111e80
                                                          • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                          • Instruction Fuzzy Hash: 08111B22A06A4681FB19AFA1C0F533923E1EF94F18F181134CA0E0D568CF7DE894E3C1
                                                          Function 00007FFE012E3380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func$abortfputcfputs
                                                          • String ID:
                                                          • API String ID: 2697642930-0
                                                          • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                          • Instruction ID: eb75b078fecf4ed78343adf5c9bf5e7a9a9ed2ed3969bcc3f9be600a7f0b060b
                                                          • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                          • Instruction Fuzzy Hash: 0EE0ECB4A08646C6E7087F61FC1D374A3269F68F62F350038C90F8A375CE2C65884212
                                                          Function 00007FFE012FC480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                          • String ID: %.0Lf$0123456789-
                                                          • API String ID: 4032823789-3094241602
                                                          • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                          • Instruction ID: 4184f1e5456e1fd7d7c2638d5595a96fb05cf256abeb742d4f5044a212386e78
                                                          • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                          • Instruction Fuzzy Hash: 76717F62B09B9689EB00CF65E4546AC3371FB89B98F404036DE4D2BBA8DE3CD559D340
                                                          Function 00007FFE01306E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                          • String ID: 0123456789-
                                                          • API String ID: 2457263114-3850129594
                                                          • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                          • Instruction ID: ef900e26d95d00fc7b0167d473e48d8ca315643c4ed2f5a682ac50b34ae7884a
                                                          • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                          • Instruction Fuzzy Hash: B771A072B09B8589FB11DBB5D4602AC77B1EB59B98F450039DE4D2BBA9CE3CD45AC300
                                                          Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturn
                                                          • String ID: gfffffff$gfffffff
                                                          • API String ID: 3668304517-161084747
                                                          • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                          • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                          • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                          • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                          Function 00007FFE013070C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                          • String ID: %.0Lf
                                                          • API String ID: 1248405305-1402515088
                                                          • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                          • Instruction ID: 563a3a759f4000057c8ee8c1dbc61e128b92dca3567ee5f7aaddce415b7ae98a
                                                          • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                          • Instruction Fuzzy Hash: 7061B422B08B8585EB01DBB5E8502ED7771FB59B94F154135EE8D2BB69DE3CE046C340
                                                          Function 00007FFE1A534044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A5341C3
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort
                                                          • String ID: $csm$csm
                                                          • API String ID: 4206212132-1512788406
                                                          • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                          • Instruction ID: f94bd2f6ee013b0f5ef064bd4bf5aa4cd285101840c6bae28b81c84547c3d211
                                                          • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                          • Instruction Fuzzy Hash: AD71923A70CA8186D7648B1694507797FA0FF86FA6F0481B6EF8D47AA6CE3CD451C740
                                                          Function 00007FFE1A533E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                          • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A533F13
                                                          • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A533F23
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                          • String ID: csm$csm
                                                          • API String ID: 4108983575-3733052814
                                                          • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                          • Instruction ID: d97c5460246ee17a826f15377bd7d26be3eb26be9688e44686fc9df53f140255
                                                          • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                          • Instruction Fuzzy Hash: E4512C32B0CA8286EA648B16944427976A0FF96FB5F5441B7DA8D47BA6CF3CE451CB00
                                                          Function 00007FFE012D2500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Exception$RaiseThrowabort
                                                          • String ID: csm
                                                          • API String ID: 3758033050-1018135373
                                                          • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                          • Instruction ID: 9b1d79431955005ba25bc5c992d1cfc7274eaeba9b0521cff523b6ac0ef5295e
                                                          • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                          • Instruction Fuzzy Hash: 15514F22904B86CAEB15CF28D4502E833A0FB98B58F159325DB9D1B7A6DF3DE5D5C340
                                                          Function 00007FFE012DF950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012DF8D4
                                                          • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012DF8E6
                                                          • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE012DF96B
                                                            • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                            • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                            • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: setlocale$freemallocmemcpy
                                                          • String ID: bad locale name
                                                          • API String ID: 1663771476-1405518554
                                                          • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                          • Instruction ID: ac71526880d578b23e44f05458b308ec9ba1973a68ba2bb81653269911571c29
                                                          • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                          • Instruction Fuzzy Hash: 0331F722F0868341FB55DB16E54117AA3D1AFD5BC0F588035DA9E8F7B5DE3CE8829341
                                                          Function 00007FFE012F38A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE012EA07C), ref: 00007FFE012F38E1
                                                            • Part of subcall function 00007FFE012DB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7BF
                                                            • Part of subcall function 00007FFE012DB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7DB
                                                            • Part of subcall function 00007FFE012E67B0: _Maklocstr.LIBCPMT ref: 00007FFE012E67E0
                                                            • Part of subcall function 00007FFE012E67B0: _Maklocstr.LIBCPMT ref: 00007FFE012E67FF
                                                            • Part of subcall function 00007FFE012E67B0: _Maklocstr.LIBCPMT ref: 00007FFE012E681E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                          • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                          • API String ID: 2904694926-3573081731
                                                          • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                          • Instruction ID: 676944a6fdcba66a80d6d162a8708c1e52dc3c083097e967072da96239933756
                                                          • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                          • Instruction Fuzzy Hash: 8741CC72A08BC297E724CF21919056EBBA1FB85781B054239CB8D67A21DF7CF562DB00
                                                          Function 00007FFE0130430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE01302278), ref: 00007FFE0130434D
                                                            • Part of subcall function 00007FFE012DB794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7BF
                                                            • Part of subcall function 00007FFE012DB794: memcpy.VCRUNTIME140(?,?,00000000,00007FFE01301347,?,?,?,?,?,?,?,?,?,00007FFE0130243E), ref: 00007FFE012DB7DB
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemcpy
                                                          • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                          • API String ID: 3376215315-3573081731
                                                          • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                          • Instruction ID: 71f39a14d54bc8f54c7cccf911282f93b8a664d664ff95171a0124f9274303d6
                                                          • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                          • Instruction Fuzzy Hash: CA41C072A08B8297E725CF21919016D7BE0FB44B81B064139CB8957E21DB3CF672CB00
                                                          Function 00007FFE1A53A714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: NameName::
                                                          • String ID: %lf
                                                          • API String ID: 1333004437-2891890143
                                                          • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                          • Instruction ID: d1cb95642941fd45f01bff71cc34e70669a6f8dbc50eb8b6b98e7dac3ba66477
                                                          • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                          • Instruction Fuzzy Hash: AF318022B0CE8585EA20CB26A85027A6360FF86F94F4481F7EA9E47665DF3CE5428740
                                                          Function 00007FFE012DA4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileFindNext$wcscpy_s
                                                          • String ID: .
                                                          • API String ID: 544952861-248832578
                                                          • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                          • Instruction ID: 44dcc48c591e7f899d7062e86ff5411a2167c0246c86213e7ad3e89335a421bd
                                                          • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                          • Instruction Fuzzy Hash: F6218462E0C68282FB709B25F8047B963A0EB94B94F884131DACD4B6A4DF3CD4559740
                                                          Function 00007FFE012D6C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                          • String ID: ios_base::badbit set
                                                          • API String ID: 1099746521-3882152299
                                                          • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                          • Instruction ID: cd60e37100690f45ce499feee6f9b34e9a19da9e90c2ec76aabab192adcf2bf4
                                                          • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                          • Instruction Fuzzy Hash: 55014961F2C60791FB18D725D845ABD2392EFE0744F148136D58E0E9B9DE3DE10A9340
                                                          Function 00007FFE1A532400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                          • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53243E
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abortterminate
                                                          • String ID: MOC$RCC$csm
                                                          • API String ID: 661698970-2671469338
                                                          • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                          • Instruction ID: 71b0fc6e5e28853ddfe2614336c8319ef393e8049bc7849868c0392f889cfc5a
                                                          • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                          • Instruction Fuzzy Hash: 4CF08C36A0CE4681EB505F23A18007D3261FF99FA0F0850F7D74802262CF3CD4A0C611
                                                          Function 00007FFE1A53E9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A53E9F0
                                                            • Part of subcall function 00007FFE1A53EC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A53ECF0
                                                            • Part of subcall function 00007FFE1A53EC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A53E9F5), ref: 00007FFE1A53ED3F
                                                            • Part of subcall function 00007FFE1A536710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A53239E), ref: 00007FFE1A53671E
                                                          • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A53EA1A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                          • String ID: csm$f
                                                          • API String ID: 2451123448-629598281
                                                          • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                          • Instruction ID: fe0d4b3af82a2f3562fd1e2f783c302dc6d51a382ce8b4787ba6c53bdc702396
                                                          • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                          • Instruction Fuzzy Hash: E3E06575F1CB4681E7206BA3B18513D26E5BF96F74F1480FADE4807666CE3CE8D09601
                                                          Function 00007FFE1A539CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                          • Instruction ID: de3f9428d105a4ed303fede87917347479305529f309faa4fec75df94d2a6e69
                                                          • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                          • Instruction Fuzzy Hash: D8917CA2F0CE96C9F7118B62D8503BC27B0BF82B68F5440F6DA4D576A5DF78A845C340
                                                          Function 00007FFE1A53A44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+$NameName::
                                                          • String ID:
                                                          • API String ID: 168861036-0
                                                          • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                          • Instruction ID: a639e284ee3b93c8ada01ab0927e6416d7c231f45bed8e4c2a68f0a66268a526
                                                          • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                          • Instruction Fuzzy Hash: BB513972F1DA9688EB11CF62E8403BC37A0BB96B64F5440B6DA0E47BA5DF3AD441C750
                                                          Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memset$_invalid_parameter_noinfo_noreturnmemmove
                                                          • String ID:
                                                          • API String ID: 48703092-0
                                                          • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                          • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                          • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                          • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                          Function 00007FFE012E6DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE012E67E5), ref: 00007FFE012E6EA1
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE012E67E5), ref: 00007FFE012E6EF2
                                                          • memcpy.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE012E67E5), ref: 00007FFE012E6EFC
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE012E6F3D
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 1775671525-0
                                                          • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                          • Instruction ID: bed8513207c166ed610fd5db417012316db63a553c028b902d40f1d869414a69
                                                          • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                          • Instruction Fuzzy Hash: D0411222B0864791EF14DB12E50457A6391EBA8BE4F594631EE6D0FBE9EE3CE041D300
                                                          Function 00007FFE012D9BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memcpy$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 1775671525-0
                                                          • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                          • Instruction ID: 37643df6eb11e843059efeb38ff5179763550ec03501f562ce0d44dab138b053
                                                          • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                          • Instruction Fuzzy Hash: FA31C371B0864685EF14AB16E544269A395AF88BE8F548231EEAD0FBF5DE7CE0819300
                                                          Function 00007FFE012FFD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Xp_movx$Xp_setw_errnoldexpmemcpy
                                                          • String ID:
                                                          • API String ID: 2233944734-0
                                                          • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                          • Instruction ID: 434fcbd10dcda23cb936b3b73fc304f480fe9227867378a87fd933018ac97939
                                                          • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                          • Instruction Fuzzy Hash: 1C41E623E1CA8786F351AF2590512B963A0AFDAB40F154239EE4D2B7B6DF3DF5098600
                                                          Function 00007FFE012D3160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                          • String ID:
                                                          • API String ID: 2234106055-0
                                                          • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                          • Instruction ID: d3613d687c4cd34ce03c015b07126c369437ff23aec1694e5e748358c12556a8
                                                          • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                          • Instruction Fuzzy Hash: 8B3193A2A0C74382F7258B26E85437D6AE1FBD0B91F184035DEC94B7A9DE3CE845D712
                                                          Function 00007FFE012D3020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                          • String ID:
                                                          • API String ID: 3857474680-0
                                                          • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                          • Instruction ID: 9636869b89ba470db1b9570eb1024bfa2e795bd3c73d7b1697c04979452efe31
                                                          • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                          • Instruction Fuzzy Hash: 3631C3B2A0C69382F715CB15E45437D6AE1FBD0B92F184035DACA0B7A9DE2CE484D712
                                                          Function 00007FFE1A53C87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID:
                                                          • API String ID: 2943138195-0
                                                          • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                          • Instruction ID: 66b11d71bcb604f444492588a7f3d036d757cea31ad410e0699a2a9156765480
                                                          • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                          • Instruction Fuzzy Hash: 44416773A08B9589E701CF66E8413BC37A0FB86B68F5480A6DA4E57769DF78A445C310
                                                          Function 00007FFE0130AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130AFB7
                                                          • memcpy.VCRUNTIME140(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130AFDB
                                                          • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130AFE8
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE012FE921), ref: 00007FFE0130B05B
                                                            • Part of subcall function 00007FFE012D2E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE012D2E5A
                                                            • Part of subcall function 00007FFE012D2E30: LCMapStringEx.KERNEL32 ref: 00007FFE012D2E9E
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: String___lc_locale_name_funcfreemallocmemcpywcsnlen
                                                          • String ID:
                                                          • API String ID: 2888714520-0
                                                          • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                          • Instruction ID: 40c39bd48465b3c3360cf9607e097e19b5bd81d3eea4d63873a3631032a16e92
                                                          • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                          • Instruction Fuzzy Hash: 77210661B08BD285E721DF12A81056AAAD0FB55FE4F594239DE6D1BBF8DF3CE0028300
                                                          Function 00007FFE012DABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _wfsopen$fclosefseek
                                                          • String ID:
                                                          • API String ID: 1261181034-0
                                                          • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                          • Instruction ID: d3aa9314673e869771e13c33934eff78fae593217f2a64f88b5eaa025da7119d
                                                          • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                          • Instruction Fuzzy Hash: F231D221B1964682EB68CB16E484A7A23D1FFD4F94F194534CE8E4BBB0DE3CE9419740
                                                          Function 00007FFE012DAAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _fsopen$fclosefseek
                                                          • String ID:
                                                          • API String ID: 410343947-0
                                                          • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                          • Instruction ID: 8747be0aa7ae8d28e12994da5cf88fedd16a72c4068268a25d80143102dcee90
                                                          • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                          • Instruction Fuzzy Hash: 7C31E921B2874641EB68C716E455A7572D2FFE4F84F194934CE4E8B7B0EE3CE5429300
                                                          Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                          • String ID:
                                                          • API String ID: 4174221723-0
                                                          • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                          • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                          • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                          • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                          Function 00007FFE0130A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A604
                                                          • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A60E
                                                            • Part of subcall function 00007FFE012D26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE012D2728
                                                            • Part of subcall function 00007FFE012D26E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE012D274E
                                                            • Part of subcall function 00007FFE012D26E0: GetCPInfo.KERNEL32 ref: 00007FFE012D2792
                                                          • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A631
                                                          • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0130576B), ref: 00007FFE0130A66F
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                          • String ID:
                                                          • API String ID: 3421985146-0
                                                          • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                          • Instruction ID: 85d0c819db23b426542f222147530ad35a6e828a0f94466ea1b233ed34cbf7c0
                                                          • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                          • Instruction Fuzzy Hash: 9B21A731B0874686EB108F56E850029B7E4FBD4FE4B564239DE5D5B764CF3CE5018700
                                                          Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                            • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                            • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                          • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                          • API String ID: 1351999747-1487749591
                                                          • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                          • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                          • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                          • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                          Function 00007FFE0130B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                          • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                          • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                          • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                          • String ID:
                                                          • API String ID: 3203701943-0
                                                          • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                          • Instruction ID: b1ad7c0b150ff4c26969a88d454f772a478b1fdaff2f2aff604a3f517e09f7ba
                                                          • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                          • Instruction Fuzzy Hash: 3701A1B2E15B9186EB059F7A9804178E7E0FB68B88B159235DA4E8B624DA7CD1828700
                                                          Function 00007FFE01308620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: memmove$FormatFreeLocalMessage
                                                          • String ID: unknown error
                                                          • API String ID: 725469203-3078798498
                                                          • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                          • Instruction ID: 83804c3a90c71e40909023663549e33d1ad2d69d22e9b04eef45f955e013eb59
                                                          • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                          • Instruction Fuzzy Hash: 87118E22A0878582E7119F25E50036DB7E0FB99BD8F098134DB8D0F7AACF7CC1548741
                                                          Function 00007FFE012D2468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: malloc
                                                          • String ID: MOC$RCC$csm
                                                          • API String ID: 2803490479-2671469338
                                                          • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                          • Instruction ID: 74f3813ccb9013ffeee046df45ab86a69e6e1423f6e9065ec320c944944edfe4
                                                          • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                          • Instruction Fuzzy Hash: 88018F21E08103C6EB649F15D58417E22F1EF98B88F585032DE8D0B7A5CE2CA891E612
                                                          Function 00007FFE012FC9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                          • String ID: 0123456789-
                                                          • API String ID: 4032823789-3850129594
                                                          • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                          • Instruction ID: e12c180568a43a60b6cb08a8930f8396f08f1466c7ff88a49694e84d4492df15
                                                          • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                          • Instruction Fuzzy Hash: 13718132B09B9A85EB10CFA5D4506AC3371FB49B98F414036DE4D2BBA8DE3CE55AD340
                                                          Function 00007FFE012FCC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                          • String ID: %.0Lf
                                                          • API String ID: 296878162-1402515088
                                                          • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                          • Instruction ID: 3aa83cd08aebcb1bb9fb07ba47564100c05e2efb56e8f8ed70625b3584de079e
                                                          • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                          • Instruction Fuzzy Hash: 9C719F32B08B8685EB11DB66E8406AD73B1EF95B98F114136EE4D2BBA9DF3CD055C340
                                                          Function 00007FFE012FC710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                          • String ID: %.0Lf
                                                          • API String ID: 296878162-1402515088
                                                          • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                          • Instruction ID: d0d77ea40bb1da55aaee2c2b0e7cd9064b724d1fcc7ae7ce9a7073d1cf08b3fc
                                                          • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                          • Instruction Fuzzy Hash: 3271AE32B08B8685EB11DB65E8406AD73B1EF99B98F114136EE4D2BB69EF3CD055D300
                                                          Function 00007FFE01308F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: rand_s
                                                          • String ID: invalid random_device value
                                                          • API String ID: 863162693-3926945683
                                                          • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                          • Instruction ID: d98494970cc966d2ffd91393c4e3408dc239ca5c58e99e530a83aecb318b3f83
                                                          • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                          • Instruction Fuzzy Hash: CC511A22D18E4685F353DF3484612BA63A4BF253C8F12473AE65E3E5B6DF2DB0968340
                                                          Function 00007FFE1A534710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: abort$CreateFrameInfo
                                                          • String ID: csm
                                                          • API String ID: 2697087660-1018135373
                                                          • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                          • Instruction ID: f7f131ed5dccea3007f1aa77877381869e52ecf36d6b516042412206feaeb24a
                                                          • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                          • Instruction Fuzzy Hash: E9512B7671CB8186D620AB17A04127E77B5FB8ABA1F1405B6DB8D07B66CF38E461CB00
                                                          Function 00007FFE01307330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                          • String ID: !%x
                                                          • API String ID: 1195835417-1893981228
                                                          • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                          • Instruction ID: 62ea2f6d4b2dbb9fc2f45521c95913f8cc3a5efd87602901a1f92427ce511a42
                                                          • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                          • Instruction Fuzzy Hash: 4B41AC22F18A9189FB01CBA5D8507EC3B71BB54798F454535EE8D2BBA9DF3CE1858340
                                                          Function 00007FFE012D32D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE012D3305
                                                            • Part of subcall function 00007FFE013225AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012D5AF8), ref: 00007FFE013225C6
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE012D57FA,?,?,?,00007FFE012D4438), ref: 00007FFE012D32FE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                          • String ID: ios_base::failbit set
                                                          • API String ID: 1934640635-3924258884
                                                          • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                          • Instruction ID: 26b9e2593801cf91b8d1ab8556d3ba5e825c1684d66e6feca9e4d1cd7d1ab806
                                                          • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                          • Instruction Fuzzy Hash: 7A21B471B09B8285DB60DB11E5402AAB3E4FB88BE0F544631EEDC4BBA9EF3CD5458740
                                                          Function 00007FFE1A539BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: Name::operator+
                                                          • String ID: void$void
                                                          • API String ID: 2943138195-3746155364
                                                          • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                          • Instruction ID: 6d1d44f62ee5a8f2598de29236c61aeedd567e38c12f4c28790ba6cc887ffc0a
                                                          • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                          • Instruction Fuzzy Hash: A7312762F1CE5988FB10CB62E8510FC37B0BB89B58B4405BADE4E53B69EF389144C750
                                                          Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          APIs
                                                            • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                          • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                          • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                          • API String ID: 1654775311-1428855073
                                                          • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                          • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                          • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                          • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                          Function 00007FFE012DF1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE012DC744), ref: 00007FFE012DF1D4
                                                            • Part of subcall function 00007FFE0130B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B0
                                                            • Part of subcall function 00007FFE0130B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0B8
                                                            • Part of subcall function 00007FFE0130B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0C1
                                                            • Part of subcall function 00007FFE0130B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE012D6093), ref: 00007FFE0130B0DD
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                          • String ID: false$true
                                                          • API String ID: 2502581279-2658103896
                                                          • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                          • Instruction ID: 658422008463be6eb12ca5444aaa249887bb342f20a22b0da97ebfa9138561c9
                                                          • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                          • Instruction Fuzzy Hash: 9A219437608B8681E720DF21E4503A977A0FBACBA8F454536DA8C0B369DF3CD555C780
                                                          Function 00007FFE1A53604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: FileHeader$ExceptionRaise
                                                          • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                          • API String ID: 3685223789-3176238549
                                                          • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                          • Instruction ID: 2e7033c215fcb6bc7fb7089690df9eaf4ea99f5ff855eece9ab13efdae4accf1
                                                          • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                          • Instruction Fuzzy Hash: 3701B161B2DE4692EE009B16E4511B96320FFD1FA4F4060F7E60E07ABAEF6CD404C710
                                                          Function 00007FFE1A5363F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionFileHeaderRaise
                                                          • String ID: csm
                                                          • API String ID: 2573137834-1018135373
                                                          • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                          • Instruction ID: c4682dba150fd1e7b3611c8f821ee4c8cf76714fe250407acccca985c27949dd
                                                          • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                          • Instruction Fuzzy Hash: 57112E32A1CB4182EB518F16E44026A7BA5FB85F94F1841B5DE8D07B64EF3DD5518700
                                                          Function 00007FFE012D69E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D69ED
                                                            • Part of subcall function 00007FFE012D4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4DF9
                                                            • Part of subcall function 00007FFE012D4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E28
                                                            • Part of subcall function 00007FFE012D4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E3F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D6A0A
                                                          Strings
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012D6A15
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getdaysmallocmemcpy
                                                          • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 1347072587-3283725177
                                                          • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                          • Instruction ID: b9ae3ee86edea433ee43d7792133afd94736df8288ee79788b358fe209c6bd5a
                                                          • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                          • Instruction Fuzzy Hash: 16E0ED21A15B4292EB20AB12F58436973A0FF58BA4F545134DB4D0BB65DF3CE5A48701
                                                          Function 00007FFE012D6A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D6A3D
                                                            • Part of subcall function 00007FFE012D4DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4DF9
                                                            • Part of subcall function 00007FFE012D4DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E28
                                                            • Part of subcall function 00007FFE012D4DD0: memcpy.VCRUNTIME140(?,?,00000000,00007FFE012E6AB5,?,?,?,?,?,?,?,?,?,00007FFE012EA96E), ref: 00007FFE012D4E3F
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D6A5A
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE012D6A65
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getmonthsmallocmemcpy
                                                          • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                          • API String ID: 1628830074-2030377133
                                                          • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                          • Instruction ID: c3c12a03f94fc2660c134b7473e8fe8461dab79ca4a9bf3b2610f6ed785efb74
                                                          • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                          • Instruction Fuzzy Hash: 5CE0ED21A15B4292EB50AB52F58436963A0FF59B94F846034DB4E0BB65DF7CE5B4C301
                                                          Function 00007FFE012D62C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D62CD
                                                            • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                            • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                            • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D62EA
                                                          Strings
                                                          • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE012D62F5
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getdaysmallocmemcpy
                                                          • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                          • API String ID: 1347072587-3283725177
                                                          • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                          • Instruction ID: a7e68cca9976ab3f2b71f1355aa5b496982764f33d20dbb5dc5349032cbc2643
                                                          • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                          • Instruction Fuzzy Hash: CAE01231B14B8292EF14AB12F598369A3A0FF58B90F959434DB5D0B765EF3CE5A4C700
                                                          Function 00007FFE012D6330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE012D633D
                                                            • Part of subcall function 00007FFE012D4D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D72
                                                            • Part of subcall function 00007FFE012D4D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4D98
                                                            • Part of subcall function 00007FFE012D4D50: memcpy.VCRUNTIME140(?,?,?,00007FFE012E2124,?,?,?,00007FFE012D43DB,?,?,?,00007FFE012D5B31), ref: 00007FFE012D4DB0
                                                          • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE012D635A
                                                          Strings
                                                          • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE012D6365
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free$Getmonthsmallocmemcpy
                                                          • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                          • API String ID: 1628830074-4232081075
                                                          • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                          • Instruction ID: e0570ebbd2ae4a31e3beb914ab2531e83aaa6b335682b909cdee821d0d003aeb
                                                          • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                          • Instruction Fuzzy Hash: B1E0ED21A15B4292EF10AB52F58436963B0FF69B90F485034DB5D0B765DF3CE5E4C780
                                                          Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow
                                                          • String ID:
                                                          • API String ID: 432778473-0
                                                          • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                          • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                          • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                          • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                          Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1911201865.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                          • Associated: 0000000C.00000002.1911174589.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911239248.0000000140013000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911322828.0000000140014000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911350832.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1911381842.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                          • String ID:
                                                          • API String ID: 2822070131-0
                                                          • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                          • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                          • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                          • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                          Function 00007FFE1A53672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A53674B
                                                          • SetLastError.KERNEL32(?,?,?,00007FFE1A5365B9,?,?,?,?,00007FFE1A53FB22,?,?,?,?,?), ref: 00007FFE1A5367D4
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915372130.00007FFE1A531000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A530000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915342093.00007FFE1A530000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915412904.00007FFE1A541000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915438183.00007FFE1A542000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915475223.00007FFE1A546000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915512343.00007FFE1A547000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe1a530000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: ErrorLast
                                                          • String ID:
                                                          • API String ID: 1452528299-0
                                                          • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                          • Instruction ID: 0ee3973e0b358cfa8cd0812017aa008c343511199b665b3dec7f189b38af078c
                                                          • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                          • Instruction Fuzzy Hash: FE113324F0DE5282FA549723A8141362691AF86FB0F5446FED96E07BF5EE2CA8418720
                                                          Function 00007FFE01301DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                          • Instruction ID: 0d9203cf52b7065a0cf309b4486876d554da35dbdb00ce4a844dedcc2e48a162
                                                          • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                          • Instruction Fuzzy Hash: 5AF03732A58B0292EB05AB16E9A42687360FF98FA0F154031CB4D0BB30DF2CE4A58301
                                                          Function 00007FFE012E8C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                          • Instruction ID: 069ecb6d7e6c5a195196fce75081fc0cea932f151188af4687dcbdb002f19c47
                                                          • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                          • Instruction Fuzzy Hash: 6CF03732A58B4292EB04AB16E9A42A87360FF98FA0F155031CB4D0BB30DF2CE4A58301
                                                          Function 00007FFE012E8CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                          • Instruction ID: 82c6af49b1ecde7a55f65884b4c0a6acd93b4b22ee4d51ace497864b928394cc
                                                          • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                          • Instruction Fuzzy Hash: E5F0FF31B58B4292DB44AB15E9942B873A0FF98FA0F155031CB4D4BB74DF7DE5A58301
                                                          Function 00007FFE012E8A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.1915102560.00007FFE012D1000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE012D0000, based on PE: true
                                                          • Associated: 0000000C.00000002.1915066081.00007FFE012D0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915169054.00007FFE01325000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915196721.00007FFE01326000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915241753.00007FFE01353000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915276377.00007FFE01354000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                          • Associated: 0000000C.00000002.1915306451.00007FFE01357000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7ffe012d0000_ImporterREDServer.jbxd
                                                          Similarity
                                                          • API ID: free
                                                          • String ID:
                                                          • API String ID: 1294909896-0
                                                          • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                          • Instruction ID: 58d41ec1d684bf7f8bd88d596ba4ee4fab07df26313e7707898e0fc87e549b40
                                                          • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                          • Instruction Fuzzy Hash: 18E0B672E54A0182EB14AF22D8A417863B0FFA8F69F192032CF0E4A334CE6CD9958341