Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup.msi

Overview

General Information

Sample name:Setup.msi
Analysis ID:1579143
MD5:d874e0a9455815e7a46abf2df7f74896
SHA1:d2c0d8370b340d37b8eb0e9c06ddd0c05be7450b
SHA256:14c34f0134e24ff3e0761b97081e9cdd70725f16686f8c3b0beb28328bea795f
Tags:cubermo-comLegionLoadermsiRobotDropperuser-aachum
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
AI detected suspicious sample
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Msiexec Initiated Connection
Sigma detected: Suspicious MsiExec Embedding Parent
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 6688 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 6784 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7128 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • powershell.exe (PID: 2924 cmdline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue." MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • conhost.exe (PID: 2912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4484 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ImporterREDServer.exe (PID: 5300 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" MD5: F67792E08586EA936EBCAE43AAB0388D)
        • conhost.exe (PID: 1460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • createdump.exe (PID: 3912 cmdline: "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe" MD5: 71F796B486C7FAF25B9B16233A7CE0CD)
      • conhost.exe (PID: 2872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Script Interpreter Execution From Suspicious Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7128, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2924, ProcessName: powershell.exe
Sigma detected: Suspicious Script Execution From Temp Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7128, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2924, ProcessName: powershell.exe
Sigma detected: Change PowerShell Policies to an Insecure Level
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7128, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2924, ProcessName: powershell.exe
Sigma detected: Msiexec Initiated Connection
Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 172.67.164.25, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\msiexec.exe, Initiated: true, ProcessId: 7128, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730
Sigma detected: Suspicious MsiExec Embedding Parent
Source: Process startedAuthor: frack113: Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7128, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2924, ProcessName: powershell.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7128, ParentProcessName: msiexec.exe, ProcessCommandLine: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue.", ProcessId: 2924, ProcessName: powershell.exe

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-20T22:47:26.903254+010028292021A Network Trojan was detected192.168.2.449730172.67.164.25443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.9% probability
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A278211-3D84-49CA-AC02-C993B0AB8CAA}Jump to behavior
Source: unknownHTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000000.1907571554.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000000.1909595570.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: ucrtbase.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: Setup.msi, MSIAA87.tmp.1.dr, 679f3b.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1911931937.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000000.1909595570.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000000.1907571554.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: Setup.msi, MSIAA87.tmp.1.dr, 679f3b.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Setup.msi, 679f3b.msi.1.dr
Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
Source: C:\Windows\System32\cmd.exeFile opened: c:Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0132A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,12_2_00007FFE0132A330

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2829202 - Severity 1 - ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA : 192.168.2.4:49730 -> 172.67.164.25:443
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: cubermo.com
Source: unknownHTTP traffic detected: POST /updater.php HTTP/1.1Content-Type: application/x-www-form-urlencoded; charset=utf-8User-Agent: AdvancedInstallerHost: cubermo.comContent-Length: 71Cache-Control: no-cache
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: powershell.exe, 00000003.00000002.1859335032.0000000007A72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0K
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: powershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://ocsp.digicert.com0C
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://ocsp.digicert.com0H
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://ocsp.digicert.com0I
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: http://ocsp.digicert.com0K
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: http://ocsp.digicert.com0N
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://ocsp.digicert.com0O
Source: powershell.exe, 00000003.00000002.1855430660.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858955559.00000000079ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: http://schemas.mick
Source: powershell.exe, 00000003.00000002.1855430660.0000000005151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1855430660.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858955559.00000000079ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: http://www.digicert.com/CPS0
Source: ImporterREDServer.exe.1.dr, dvacore.dll.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: ImporterREDServer.exe, 0000000C.00000002.1911931937.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drString found in binary or memory: http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-
Source: powershell.exe, 00000003.00000002.1855430660.0000000005151000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBkq
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: https://aka.ms/winui2/webview2download/Reload():
Source: powershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: Setup.msi, 679f3b.msi.1.drString found in binary or memory: https://cubermo.com/updater.phpx
Source: powershell.exe, 00000003.00000002.1855430660.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858955559.00000000079ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.1855430660.00000000055AC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
Source: powershell.exe, 00000003.00000002.1858862485.00000000079B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://go.micros
Source: powershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: Setup.msi, ImporterREDServer.exe.1.dr, dvacore.dll.1.dr, 679f3b.msi.1.drString found in binary or memory: https://www.digicert.com/CPS0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 172.67.164.25:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\679f38.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8FC.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA99A.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9D9.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA19.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA87.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAAB7.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAAE7.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC805.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{5A278211-3D84-49CA-AC02-C993B0AB8CAA}Jump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID41C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID42C.tmpJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\679f3b.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\679f3b.msiJump to behavior
Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIA8FC.tmpJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04FD32A03_2_04FD32A0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_000000014001222012_2_0000000140012220
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_000000014000839012_2_0000000140008390
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140007FC012_2_0000000140007FC0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0132F9B012_2_00007FFE0132F9B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0134220812_2_00007FFE01342208
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0135F9DA12_2_00007FFE0135F9DA
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0135288012_2_00007FFE01352880
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0132E8B012_2_00007FFE0132E8B0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE013360D012_2_00007FFE013360D0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0133ABB012_2_00007FFE0133ABB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0134434012_2_00007FFE01344340
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0135A27C12_2_00007FFE0135A27C
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0134633812_2_00007FFE01346338
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0135BDA012_2_00007FFE0135BDA0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE013595A812_2_00007FFE013595A8
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01352D7012_2_00007FFE01352D70
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0133CDF012_2_00007FFE0133CDF0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01346C8412_2_00007FFE01346C84
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0133644012_2_00007FFE01336440
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0133946012_2_00007FFE01339460
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01340C6012_2_00007FFE01340C60
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0134547012_2_00007FFE01345470
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0133BCD012_2_00007FFE0133BCD0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE013544E012_2_00007FFE013544E0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0132C78012_2_00007FFE0132C780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0134478012_2_00007FFE01344780
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01338FB012_2_00007FFE01338FB0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0132D81012_2_00007FFE0132D810
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0135B69812_2_00007FFE0135B698
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01343F0012_2_00007FFE01343F00
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0133DF1012_2_00007FFE0133DF10
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0134071012_2_00007FFE01340710
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE1A4F750812_2_00007FFE1A4F7508
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: String function: 000000014000BC30 appears 53 times
Source: api-ms-win-core-handle-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.1.drStatic PE information: No import functions for PE file found
Source: Setup.msiBinary or memory string: OriginalFilenameAICustAct.dllF vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenameSoftwareDetector.dllF vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenameDataUploader.dllF vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenamePowerShellScriptLauncher.dllF vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenameucrtbase.dllj% vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenamevcruntime140.dllT vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenamemsvcp140.dllT vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenameMicrosoft.Web.WebView2.Core.dll vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenameMicrosoft.UI.Xaml.dllD vs Setup.msi
Source: Setup.msiBinary or memory string: OriginalFilenameembeddeduiproxy.dllF vs Setup.msi
Source: dvacore.dll.1.drBinary string: Win.FileUtils path: Throw file exception with last error (HRESULT): $$$/dvacore/utility/FileUtils_WIN/Unknown=Unknown$$$/dvacore/utility/FileUtils_WIN/Invalid=Invalid$$$/dvacore/utility/FileUtils_WIN/Removable=Removable$$$/dvacore/utility/FileUtils_WIN/Fixed=Local Disk$$$/dvacore/utility/FileUtils_WIN/Network=Network$$$/dvacore/utility/FileUtils_WIN/CDROM=CD-ROM$$$/dvacore/utility/FileUtils_WIN/RAMDisk=RAM Disk_:\Device\Floppy\\?\\\?\UNC (error Unable to delete \/.\\127.0.0.1xt4
Source: classification engineClassification label: mal64.evad.winMSI@17/91@1/1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140010BE0 GetLastError,FormatMessageA,12_2_0000000140010BE0
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0132A7B0 GetDiskFreeSpaceExW,_invalid_parameter_noinfo_noreturn,12_2_00007FFE0132A7B0
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CMLDB38.tmpJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3052:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:120:WilError_03
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF2BD0B1E793F1A313.TMPJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\SysWOW64\msiexec.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\PayloadJump to behavior
Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BAJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windowmanagementapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: inputhost.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: windows.ui.immersive.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: atlthunk.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: dbgcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvacore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: libzip.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_system.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_date_time.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_threads.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: boost_filesystem.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: dvaunittesting.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: utest.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A278211-3D84-49CA-AC02-C993B0AB8CAA}Jump to behavior
Source: Setup.msiStatic file information: File size 60325376 > 1048576
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb source: createdump.exe, 00000009.00000000.1907571554.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb= source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb2+' source: ImporterREDServer.exe, 0000000C.00000000.1909595570.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb)) source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: ucrtbase.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140_1.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdbk source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdbGCTL source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\DataUploader.pdbj source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdbm source: Setup.msi, MSIAA87.tmp.1.dr, 679f3b.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcamp140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vccorlib140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdbGCTL source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\WinUiBootstrapperEui\WinUiBootstrapperEui.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\stubs\x86\ExternalUi.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\msvcp140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: api-ms-win-core-synch-l1-1-0.dll.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\dvacore\lib\win\release\64\dvacore.pdb source: ImporterREDServer.exe, 0000000C.00000002.1911931937.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\PowerShellScriptLauncher.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: E:\BA\201\s\140_release\vcrt_fwd_x86_release\Release\vcomp140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb!! source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: api-ms-win-core-errorhandling-l1-1-0.dll.1.dr
Source: Binary string: C:\a\_work\1\s\BuildOutput\Release\x86\Microsoft.UI.Xaml\Microsoft.UI.Xaml.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\releases\dva\shared\adobe\MediaCore\Importers\ImporterREDServer\Targets\Win\Release\64\ImporterREDServer.pdb source: ImporterREDServer.exe, 0000000C.00000000.1909595570.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe, 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmp, ImporterREDServer.exe.1.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr
Source: Binary string: D:\a\_work\1\s\140_release\vcrt_fwd_x86_release\Release\vcruntime140_app.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: api-ms-win-core-file-l1-1-0.dll.1.dr
Source: Binary string: D:\a\1\s\Win32\Release\Microsoft.Toolkit.Win32.UI.XamlApplication\Microsoft.Toolkit.Win32.UI.XamlHost.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\bin\x86\embeddeduiproxy.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\debug\createdump\createdump.pdb;;;GCTL source: createdump.exe, 00000009.00000000.1907571554.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp, createdump.exe, 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: d:\a01\_work\12\s\\binaries\amd64ret\bin\amd64\\msvcp140.amd64.pdb source: ImporterREDServer.exe, 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\SoftwareDetector.pdb source: Setup.msi, MSIAA87.tmp.1.dr, 679f3b.msi.1.dr
Source: Binary string: Microsoft.Web.WebView2.Core.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: ucrtbase.pdbUGP source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: api-ms-win-core-profile-l1-1-0.dll.1.dr
Source: Binary string: C:\ReleaseAI\win\Release\custact\x86\AICustAct.pdb source: Setup.msi, 679f3b.msi.1.dr
Source: Binary string: D:\a\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdbGCTL source: Setup.msi, 679f3b.msi.1.dr
Source: api-ms-win-core-synch-l1-2-0.dll.1.drStatic PE information: 0x8A188CB0 [Tue Jun 2 13:31:28 2043 UTC]
Source: vcruntime140.dll.1.drStatic PE information: section name: _RDATA
Source: UnRar.exe.1.drStatic PE information: section name: _RDATA
Source: BCUninstaller.exe.1.drStatic PE information: section name: _RDATA
Source: createdump.exe.1.drStatic PE information: section name: _RDATA
Source: MSID42C.tmp.1.drStatic PE information: section name: .fptable
Source: MSIA8FC.tmp.1.drStatic PE information: section name: .fptable
Source: MSIA99A.tmp.1.drStatic PE information: section name: .fptable
Source: MSIA9D9.tmp.1.drStatic PE information: section name: .fptable
Source: MSIAA19.tmp.1.drStatic PE information: section name: .fptable
Source: MSIAA87.tmp.1.drStatic PE information: section name: .fptable
Source: MSIAAB7.tmp.1.drStatic PE information: section name: .fptable
Source: MSIAAE7.tmp.1.drStatic PE information: section name: .fptable
Source: MSIC805.tmp.1.drStatic PE information: section name: .fptable
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 3_2_04FDBD8C push esp; ret 3_2_04FDBD93
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID42C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAAB7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA99A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA87.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAAE7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC805.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9D9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8FC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA19.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA99A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC805.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA9D9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA8FC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID42C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA87.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAAB7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAAE7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIAA19.tmpJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0135C0C0 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,12_2_00007FFE0135C0C0
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\cmd.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3455Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1817Jump to behavior
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAA87.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID42C.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAAB7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAAE7.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA99A.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC805.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA9D9.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA8FC.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIAA19.tmpJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeAPI coverage: 8.2 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5472Thread sleep count: 3455 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6340Thread sleep count: 1817 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1612Thread sleep time: -2767011611056431s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6832Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE0132A330 FindFirstFileExW,FindClose,wcscpy_s,_invalid_parameter_noinfo_noreturn,12_2_00007FFE0132A330
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: 679f3b.msi.1.drBinary or memory string: HKEY_USERSRegOpenKeyTransactedW::NetUserGetInfo() failed with error: \@invalid string_view positionVMware, Inc.VMware Virtual PlatformVMware7,1VMware20,1innotek GmbHVirtualBoxMicrosoft CorporationVirtual MachineVRTUALACRSYSA M IGetting system informationManufacturer [Model [BIOS [\\?\UNC\\\?\shim_clone%d.%d.%d.%dDllGetVersion[%!]%!ProgramFilesFolderCommonFilesFolderDesktopFolderAllUsersDesktopFolderAppDataFolderFavoritesFolderStartMenuFolderProgramMenuFolderStartupFolderFontsFolderLocalAppDataFolderCommonAppDataFolderProgramFiles64FolderProgramFilesProgramW6432SystemFolderSystem32FolderWindowsFolderWindowsVolumeTempFolderSETUPEXEDIRshfolder.dllSHGetFolderPathWProgramFilesAPPDATAPROGRAMFILES&+
Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6596B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF6596B2ECC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6596B3074 SetUnhandledExceptionFilter,9_2_00007FF6596B3074
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6596B2ECC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF6596B2ECC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6596B2984 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF6596B2984
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140011004 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0000000140011004
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140011D78 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0000000140011D78
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_0000000140011F24 SetUnhandledExceptionFilter,12_2_0000000140011F24
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE01372CDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFE01372CDC
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE1A4E4568 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFE1A4E4568
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: 12_2_00007FFE1A50004C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_00007FFE1A50004C

HIPS / PFW / Operating System Protection Evasion

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe" Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssd4d2.ps1" -propfile "c:\users\user\appdata\local\temp\msid4bf.txt" -scriptfile "c:\users\user\appdata\local\temp\scrd4c0.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrd4c1.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."
Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -noninteractive -executionpolicy bypass -file "c:\users\user\appdata\local\temp\pssd4d2.ps1" -propfile "c:\users\user\appdata\local\temp\msid4bf.txt" -scriptfile "c:\users\user\appdata\local\temp\scrd4c0.ps1" -scriptargsfile "c:\users\user\appdata\local\temp\scrd4c1.txt" -propsep " :<->: " -linesep " <<:>> " -testprefix "_testvalue."Jump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeCode function: ___lc_locale_name_func,GetLocaleInfoEx,12_2_00007FFE0134EFC0
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exeCode function: 9_2_00007FF6596B2DA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00007FF6596B2DA0

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		1
Replication Through Removable Media		1
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		21
Masquerading		OS Credential Dumping1
System Time Discovery		Remote Services1
Archive Collected Data		11
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
PowerShell		1
Scripting		11
Process Injection		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		1
DLL Side-Loading		21
Virtualization/Sandbox Evasion		Security Account Manager1
Process Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS21
Virtualization/Sandbox Evasion		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Deobfuscate/Decode Files or Information		LSA Secrets1
Application Window Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
Obfuscated Files or Information		Cached Domain Credentials11
Peripheral Device Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
Timestomp		DCSync1
File and Directory Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
DLL Side-Loading		Proc Filesystem24
System Information Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
File Deletion		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1579143 Sample: Setup.msi Startdate: 20/12/2024 Architecture: WINDOWS Score: 64 49 cubermo.com 2->49 55 Suricata IDS alerts for network traffic 2->55 57 AI detected suspicious sample 2->57 59 Sigma detected: Suspicious Script Execution From Temp Folder 2->59 61 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->61 9 msiexec.exe 139 107 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSID42C.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSIC805.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSIAAE7.tmp, PE32 9->39 dropped 41 52 other files (none is malicious) 9->41 dropped 14 msiexec.exe 14 9->14         started        19 cmd.exe 1 9->19         started        21 createdump.exe 1 9->21         started        process6 dnsIp7 51 cubermo.com 172.67.164.25, 443, 49730 CLOUDFLARENETUS United States 14->51 43 C:\Users\user\AppData\Local\...\scrD4C0.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pssD4D2.ps1, Unicode 14->45 dropped 47 C:\Users\user\AppData\Local\...\msiD4BF.txt, Unicode 14->47 dropped 53 Bypasses PowerShell execution policy 14->53 23 powershell.exe 17 14->23         started        25 ImporterREDServer.exe 1 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        file8 signatures9 process10 process11 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll0%ReversingLabs
C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll0%ReversingLabs
C:\Windows\Installer\MSIA8FC.tmp0%ReversingLabs
C:\Windows\Installer\MSIA99A.tmp0%ReversingLabs
C:\Windows\Installer\MSIA9D9.tmp0%ReversingLabs
C:\Windows\Installer\MSIAA19.tmp0%ReversingLabs
C:\Windows\Installer\MSIAA87.tmp0%ReversingLabs
C:\Windows\Installer\MSIAAB7.tmp0%ReversingLabs
C:\Windows\Installer\MSIAAE7.tmp0%ReversingLabs
C:\Windows\Installer\MSIC805.tmp0%ReversingLabs
C:\Windows\Installer\MSID42C.tmp0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
cubermo.com
172.67.164.25
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://cubermo.com/updater.phptrue
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://nuget.org/NuGet.exepowershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpfalse
        		high
        https://go.microspowershell.exe, 00000003.00000002.1858862485.00000000079B0000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          http://crl.micropowershell.exe, 00000003.00000002.1859335032.0000000007A72000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000003.00000002.1855430660.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858955559.00000000079ED000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000003.00000002.1855430660.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858955559.00000000079ED000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://go.micropowershell.exe, 00000003.00000002.1855430660.00000000055AC000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://contoso.com/powershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://nuget.org/nuget.exepowershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://contoso.com/Licensepowershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://contoso.com/Iconpowershell.exe, 00000003.00000002.1857645773.00000000061B7000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://schemas.mickSetup.msi, 679f3b.msi.1.drfalse
                            		unknown
                            http://xml.org/sax/features/external-general-entitieshttp://xml.org/sax/features/external-parameter-ImporterREDServer.exe, 0000000C.00000002.1911931937.00000001802BD000.00000002.00000001.01000000.00000008.sdmp, dvacore.dll.1.drfalse
                              		unknown
                              https://aka.ms/pscore6lBkqpowershell.exe, 00000003.00000002.1855430660.0000000005151000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://aka.ms/winui2/webview2download/Reload():Setup.msi, 679f3b.msi.1.drfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000003.00000002.1855430660.0000000005151000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://cubermo.com/updater.phpxSetup.msi, 679f3b.msi.1.drfalse
                                      		unknown
                                      https://github.com/Pester/Pesterpowershell.exe, 00000003.00000002.1855430660.00000000052A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1858955559.00000000079ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        172.67.164.25
                                        		cubermo.comUnited States
                                        		13335CLOUDFLARENETUStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1579143
                                        Start date and time:2024-12-20 22:46:19 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 7m 53s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:15
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Setup.msi
                                        Detection:MAL
                                        Classification:mal64.evad.winMSI@17/91@1/1
                                        EGA Information:
                                        • Successful, ratio: 33.3%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 15
                                        • Number of non-executed functions: 183
                                        Cookbook Comments:
                                        • Found application associated with file extension: .msi

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target ImporterREDServer.exe, PID 5300 because there are no executed function
                                        • Execution Graph export aborted for target powershell.exe, PID 2924 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • VT rate limit hit for: Setup.msi

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        16:47:28API Interceptor4x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        172.67.164.25file.exeGet hashmaliciousRedLine, SmokeLoaderBrowse
                                        • sqribble.com/admin

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        cubermo.comq9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                        • 172.67.164.25

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSq9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                        • 172.67.164.25
                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                        • 104.21.91.209
                                        https://p.usertrackjvg.top/usGet hashmaliciousHTMLPhisherBrowse
                                        • 104.21.39.136
                                        Setup (3).exe.zipGet hashmaliciousUnknownBrowse
                                        • 104.18.26.149
                                        https://contractorssteelform1flows.powerappsportals.com/Get hashmaliciousHTMLPhisherBrowse
                                        • 104.18.31.19
                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Stealc, Vidar, XmrigBrowse
                                        • 172.67.197.170
                                        dF66DKQP7u.exeGet hashmaliciousXWormBrowse
                                        • 104.20.3.235
                                        2QaN4hOyJs.exeGet hashmaliciousXWormBrowse
                                        • 104.20.3.235
                                        https://tekascend.com/Ray-verify.htmlGet hashmaliciousNetSupport RATBrowse
                                        • 1.1.1.1
                                        YgJ5inWPQO.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                        • 104.20.22.46

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        37f463bf4616ecd445d4a1937da06e19q9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                        • 172.67.164.25
                                        doc00290320092.jseGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 172.67.164.25
                                        Fortexternal.exeGet hashmaliciousUnknownBrowse
                                        • 172.67.164.25
                                        676556be12ac3.vbsGet hashmaliciousMint StealerBrowse
                                        • 172.67.164.25
                                        PKO_0019289289544_PDF_#U2463#U2466#U2465#U2462#U2461#U2466#U2464#U2462.htaGet hashmaliciousMint StealerBrowse
                                        • 172.67.164.25
                                        ktyihkdfesf.exeGet hashmaliciousVidarBrowse
                                        • 172.67.164.25
                                        pjthjsdjgjrtavv.exeGet hashmaliciousVidarBrowse
                                        • 172.67.164.25
                                        FinTP-Update.exeGet hashmaliciousCobaltStrikeBrowse
                                        • 172.67.164.25
                                        hrupdate.exeGet hashmaliciousCobaltStrikeBrowse
                                        • 172.67.164.25

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exeq9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                          C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exeq9bzWO2X1r.msiGet hashmaliciousUnknownBrowse
                                            Setup.msiGet hashmaliciousUnknownBrowse
                                              build.msiGet hashmaliciousUnknownBrowse
                                                Setup.msiGet hashmaliciousUnknownBrowse
                                                  New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_htmlGet hashmaliciousUnknownBrowse
                                                    m9u08f2pMF.msiGet hashmaliciousUnknownBrowse
                                                      cwqqRXEhZb.msiGet hashmaliciousUnknownBrowse
                                                        Setup.msiGet hashmaliciousUnknownBrowse
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                            file.exeGet hashmaliciousUnknownBrowse
                                                              C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exeq9bzWO2X1r.msiGet hashmaliciousUnknownBrowse

                                                                Created / dropped Files

                                                                C:\Config.Msi\679f3a.rbs

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):20965
                                                                Entropy (8bit):5.7776104662482535
                                                                Encrypted:false
                                                                SSDEEP:384:AGcjoNupbLBFHIWStNMlbjwRtr1e9QQeGeNrKq1Y+kvbumPDPrhkbNP4CxHxFtQI:AGcjoNupbLBFHIWStNMlbjwRtr1e9QQ4
                                                                MD5:79A735C0E6E1E2AB30A3CCA189E635B7
                                                                SHA1:1A75814ADBF4BA353011BDD24952220EA91748A4
                                                                SHA-256:E2775EC0EE05BD9D2C554264222D583AA02517C0D3CC1D6B010996991E3D10A5
                                                                SHA-512:B478A70B8E931B0F0D1EC3C7DBBC99D4C46E7B0E5EE416B0D98ED63AF4415FF261EAC1ADC6EB7107176B4E62C6C5332F6484C83CCB7C5E28272D5C5D9CEF67AD
                                                                Malicious:false
                                                                Preview:...@IXOS.@.....@.Y.@.....@.....@.....@.....@.....@......&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}..App x installer..Setup.msi.@.....@.....@.....@......icon_22.exe..&.{EF350A28-9BA8-4F85-B94C-53D911CB898F}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]....ProcessComponents..Updating component registration..&.{F39C344E-A83E-4760-8DA8-F27602095B4F}&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}.@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}.@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}.@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}.@......&.{DE28A560-E5E1-4035-8CA3-44934686A249}&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}.@......&.{03D39B98-E7BB-4062-BD92-307D642A5CF1}&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}.@......&.{279C32E3-A00A-4513-9A8B-D3984A41A6FB}&.{5A2782

                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1360
                                                                Entropy (8bit):5.413197223328133
                                                                Encrypted:false
                                                                SSDEEP:24:3UWSKco4KmZjKbm51s4RPT6moUebIKo+mZ9t7J0gt/NK3R82r+SVbR:EWSU4xymI4RfoUeW+mZ9tK8NWR82jVbR
                                                                MD5:1A8B62C28399515602DCA9C94C2B2490
                                                                SHA1:384EB5E2AFB32EC137CE02833466A20048E2A689
                                                                SHA-256:B5A234A10D8D76E65C18EA63D097512F3D53FC5739EF7A8099AC8B22FA7C9F00
                                                                SHA-512:095BD0CB3027199DDB62FFDA863673CED39884DFE0F9B9BECDF2A1CC6674D27F8AD8D0E965C1F38E4D63140F7E0DCBCA8D443E5A48E543FE0B13DA2FF2ED5CE8
                                                                Malicious:false
                                                                Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gjqvcewa.xni.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ic4ucl5g.zit.psm1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:ASCII text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):60
                                                                Entropy (8bit):4.038920595031593
                                                                Encrypted:false
                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                Malicious:false
                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                C:\Users\user\AppData\Local\Temp\msiD4BF.txt

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                Category:dropped
                                                                Size (bytes):96
                                                                Entropy (8bit):2.99798449505456
                                                                Encrypted:false
                                                                SSDEEP:3:QmalTuOIAlSRYplflbPRYplf955:Qmalt9lLZiLN
                                                                MD5:F26BF481CA203C7D611850139ACBEF41
                                                                SHA1:EA86C45B436D1B8F5F42F87AE5034332A5BCFEC4
                                                                SHA-256:A6AE6BBFC3486BA26A9A3C67B127D6972D16B8B925BDE4AF20880EE1B1D997CB
                                                                SHA-512:D1D2AE7C30A146AC1A85BDC133CE1F105AFC6F4EC8C5BD21A8EAACD0910929D3A9FCB540AB533A253C296C51DC71D1AE58749F7449DAB1C530E82D78D3544E4E
                                                                Malicious:true
                                                                Preview:..C.e.v.e.r.a.l.S.e.s. .:.<.-.>.:. . .<.<.:.>.>. .T.r.i.a.l.N.o.w. .:.<.-.>.:. .0. .<.<.:.>.>. .

                                                                C:\Users\user\AppData\Local\Temp\pssD4D2.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):6668
                                                                Entropy (8bit):3.5127462716425657
                                                                Encrypted:false
                                                                SSDEEP:96:5Wb5VNkKmeHn/V2BVrIovmgNlGjxcj6BngOcvjb:5WbyZ/gVyvb
                                                                MD5:30C30EF2CB47E35101D13402B5661179
                                                                SHA1:25696B2AAB86A9233F19017539E2DD83B2F75D4E
                                                                SHA-256:53094DF6FA4E57A3265FF04BC1E970C10BCDB3D4094AD6DD610C05B7A8B79E0F
                                                                SHA-512:882BE2768138BB75FF7DDE7D5CA4C2E024699398BAACD0CE1D4619902402E054297E4F464D8CB3C22B2F35D3DABC408122C207FACAD64EC8014F2C54834CF458
                                                                Malicious:true
                                                                Preview:..p.a.r.a.m.(..... . .[.a.l.i.a.s.(.".p.r.o.p.F.i.l.e.".).]. . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.O.u.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".p.r.o.p.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.K.V.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".l.i.n.e.S.e.p.".).]. . . . . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.m.s.i.P.r.o.p.L.i.n.e.S.e.p.a.r.a.t.o.r..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.F.i.l.e.".).]. . . . .[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. .[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.F.i.l.e.P.a.t.h..... .,.[.a.l.i.a.s.(.".s.c.r.i.p.t.A.r.g.s.F.i.l.e.".).].[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.f.a.l.s.e.).].[.s.t.r.i.n.g.]. .$.u.s.e.r.S.c.r.i.p.t.A.r.g.s.F.i.l.e.P.a.t.h..... .,.[.P.a.r.a.m.e.t.e.r.(.M.a.n.d.a.t.o.r.y.=.$.t.r.u.e.).]. . . . . . . . . . . . . . . . . . . . . . . . . .

                                                                C:\Users\user\AppData\Local\Temp\scrD4C0.ps1

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\msiexec.exe
                                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):250
                                                                Entropy (8bit):3.576902729499699
                                                                Encrypted:false
                                                                SSDEEP:6:QfFok79idK3fclQ9zgltHN+KiVmMXFVrMTlp1LlG7JidK3fpdInO:QfF3IugM/XFVrMTWNvn
                                                                MD5:479FAC6E0C05C5A57698619AFE51DEF2
                                                                SHA1:1AF4A4DB75ACE8324ED7BFF59D711E80A7BDB821
                                                                SHA-256:700080D274E5629A2BFA0D47B9BAF53AD69E67A64A2B04D84115D5851AB3DDBD
                                                                SHA-512:B0B5065C216EBC1124B985F3FF86EE7C7E7E9B994190D1103C454EDD602E0242B7160BFFB202538470254675DFACAC6159F1A459B979DAD563BDED84FCED193E
                                                                Malicious:true
                                                                Preview:..$.o.i.g.n.q.p. .=. .A.I._.G.e.t.M.s.i.P.r.o.p.e.r.t.y. .".C.e.v.e.r.a.l.S.e.s.".....$.a.v.o.i.j.g. .=. .[.u.i.n.t.3.2.].(.$.o.i.g.n.q.p. .-.r.e.p.l.a.c.e. .'.b.'.,. .'.'.).....A.I._.S.e.t.M.s.i.P.r.o.p.e.r.t.y. .".T.r.i.a.l.N.o.w.". .$.a.v.o.i.j.g.

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\BCUninstaller.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):310928
                                                                Entropy (8bit):6.001677789306043
                                                                Encrypted:false
                                                                SSDEEP:3072:Zczkitvo4BpYN/6mBPry8TXROLdW5m4mURs9OOGC0kvxVCd7wANmSrvlPSIB0P+4:ZA4NCmBPry/N24OOjVxM7RNrrvEc0a
                                                                MD5:147B71C906F421AC77F534821F80A0C6
                                                                SHA1:3381128CA482A62333E20D0293FDA50DC5893323
                                                                SHA-256:7DCD48CEF4CC4C249F39A373A63BBA97C66F4D8AFDBE3BAB196FD452A58290B2
                                                                SHA-512:2FCD2127D9005D66431DD8C9BD5BC60A148D6F3DFE4B80B82672AFD0D148F308377A0C38D55CA58002E5380D412CE18BD0061CB3B12F4DAA90E0174144EA20C8
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8.}|...|...|....../p....../v....../1...u.a.l....../u...|........./v....../}...Rich|...........PE..d...i..d..........".................`<.........@..........................................`.................................................t$...........S...`..@........(..............T.......................(.......8............................................text............................... ..`.rdata..............................@..@.data........@......................@....pdata..@....`.......&..............@..@_RDATA...............<..............@..@.rsrc....S.......T...>..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):117496
                                                                Entropy (8bit):6.136079902481222
                                                                Encrypted:false
                                                                SSDEEP:1536:P4ynPKh5ilvitpOeRZBMZTWTKnSU3hGe+K8b9Ate83CtyxZMPXR0qmOi4:PjoiaUDahe+B92e9tiMPXR0qmOX
                                                                MD5:F67792E08586EA936EBCAE43AAB0388D
                                                                SHA1:4A5B4009DE72DB003D57F8A4416D17F95B3539A8
                                                                SHA-256:4D434BB99C771524C35222E5C65EBEE87FD2F16DDA05BF6191F9723EECE2434D
                                                                SHA-512:F9E69377201E2DC577792F01B71ED3C9AF6C8AD52DD9E139C99EF1D9096F3EB7796F89642242BE8CEE4030EA9CF60EF1AA93D1B0890326A83CB9063E919F1E4A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........,|..B/..B/..B/.../..B/.G...B/.F...B/.A...B/.C...B/.C...B/..G...B/<.C...B/..C/..B/<.G...B/<../..B/.../..B/<.@...B/Rich..B/................PE..d.....-a..........#............................@.....................................].... .................................................D...,...............`....................]..T...................P_..(...P^...............0..H............................text............................... ..`.rdata...o...0...p..."..............@..@.data...@...........................@....pdata..`...........................@..@.rsrc...............................@..@........................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\UnRar.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):506008
                                                                Entropy (8bit):6.4284173495366845
                                                                Encrypted:false
                                                                SSDEEP:6144:yY8mmN3YWYGAj9JwXScp39ioIKzKVEKfr01//bbh3S62Wt3A3ksFqXqjh6AusDyn:yY8XiWYGAkXh3Qqia/zAot3A6AhezSpK
                                                                MD5:98CCD44353F7BC5BAD1BC6BA9AE0CD68
                                                                SHA1:76A4E5BF8D298800C886D29F85EE629E7726052D
                                                                SHA-256:E51021F6CB20EFBD2169F2A2DA10CE1ABCA58B4F5F30FBF4BAE931E4ECAAC99B
                                                                SHA-512:D6E8146A1055A59CBA5E2AAF47F6CB184ACDBE28E42EC3DAEBF1961A91CEC5904554D9D433EBF943DD3639C239EF11560FA49F00E1CFF02E11CD8D3506C4125F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Joe Sandbox View:
                                                                • Filename: q9bzWO2X1r.msi, Detection: malicious, Browse
                                                                • Filename: Setup.msi, Detection: malicious, Browse
                                                                • Filename: build.msi, Detection: malicious, Browse
                                                                • Filename: Setup.msi, Detection: malicious, Browse
                                                                • Filename: New xlsx docs074252657723824 - Tuesday, December 3, 2024 at 03_42_05 PM_html, Detection: malicious, Browse
                                                                • Filename: m9u08f2pMF.msi, Detection: malicious, Browse
                                                                • Filename: cwqqRXEhZb.msi, Detection: malicious, Browse
                                                                • Filename: Setup.msi, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........g.}............|.&.....|.$.J...|.%.....H}*.....H}./....H}./.....~P.....H}./.....~D.........z...F}./....F}(.....F}./....Rich............PE..d.....@f.........."....!.b.....................@.....................................'....`.................................................|...........H........4.......(......8...0I..T....................J..(....G..@............................................text....a.......b.................. ..`.rdata...3.......4...f..............@..@.data...............................@....pdata...4.......6..................@..@_RDATA..\...........................@..@.rsrc...H...........................@..@.reloc..8...........................@..B................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12224
                                                                Entropy (8bit):6.596101286914553
                                                                Encrypted:false
                                                                SSDEEP:192:4nWYhWxWWFYg7VWQ4uWjXUtpwBqnajrmaaGJ:2WYhWvZqlQGJ
                                                                MD5:919E653868A3D9F0C9865941573025DF
                                                                SHA1:EFF2D4FF97E2B8D7ED0E456CB53B74199118A2E2
                                                                SHA-256:2AFBFA1D77969D0F4CEE4547870355498D5C1DA81D241E09556D0BD1D6230F8C
                                                                SHA-512:6AEC9D7767EB82EBC893EBD97D499DEBFF8DA130817B6BB4BCB5EB5DE1B074898F87DB4F6C48B50052D4F8A027B3A707CAD9D7ED5837A6DD9B53642B8A168932
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0......a.....`.........................................`...,............ ...................!..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-console-l1-2-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12224
                                                                Entropy (8bit):6.640081558424349
                                                                Encrypted:false
                                                                SSDEEP:192:iTWYhWyWWFYg7VWQ4uWq6Cu87ZqnajgnLSyu:sWYhWi1XHllk2yu
                                                                MD5:7676560D0E9BC1EE9502D2F920D2892F
                                                                SHA1:4A7A7A99900E41FF8A359CA85949ACD828DDB068
                                                                SHA-256:00942431C2D3193061C7F4DC340E8446BFDBF792A7489F60349299DFF689C2F9
                                                                SHA-512:F1E8DB9AD44CD1AA991B9ED0E000C58978EB60B3B7D9908B6EB78E8146E9E12590B0014FC4A97BC490FFE378C0BF59A6E02109BFD8A01C3B6D0D653A5B612D15
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0...........`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-datetime-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11712
                                                                Entropy (8bit):6.6023398138369505
                                                                Encrypted:false
                                                                SSDEEP:192:5WYhWYWWFYg7VWQ4SWSS/njxceXqnajLJ35H:5WYhW4gjmAlnJpH
                                                                MD5:AC51E3459E8FCE2A646A6AD4A2E220B9
                                                                SHA1:60CF810B7AD8F460D0B8783CE5E5BBCD61C82F1A
                                                                SHA-256:77577F35D3A61217EA70F21398E178F8749455689DB52A2B35A85F9B54C79638
                                                                SHA-512:6239240D4F4FA64FC771370FB25A16269F91A59A81A99A6A021B8F57CA93D6BB3B3FCECC8DEDE0EF7914652A2C85D84D774F13A4143536A3F986487A776A2EAE
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0......d.....`.........................................`................ ...................!..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-debug-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.614262942006268
                                                                Encrypted:false
                                                                SSDEEP:192:4WYhWFsWWFYg7VWQ4eWZzAR/BVrqnajcJH:4WYhWFMJRLlA5
                                                                MD5:B0E0678DDC403EFFC7CDC69AE6D641FB
                                                                SHA1:C1A4CE4DED47740D3518CD1FF9E9CE277D959335
                                                                SHA-256:45E48320ABE6E3C6079F3F6B84636920A367989A88F9BA6847F88C210D972CF1
                                                                SHA-512:2BADF761A0614D09A60D0ABB6289EBCBFA3BF69425640EB8494571AFD569C8695AE20130AAC0E1025E8739D76A9BFF2EFC9B4358B49EFE162B2773BE9C3E2AD4
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.654155040985372
                                                                Encrypted:false
                                                                SSDEEP:192:imxD3vEWYhWnWWFYg7VWQ4eWMOwNbDXbBqnaj0qJm8:iIEWYhWFpLbBlwqJm
                                                                MD5:94788729C9E7B9C888F4E323A27AB548
                                                                SHA1:B0BA0C4CF1D8B2B94532AA1880310F28E87756EC
                                                                SHA-256:ACCDD7455FB6D02FE298B987AD412E00D0B8E6F5FB10B52826367E7358AE1187
                                                                SHA-512:AB65495B1D0DD261F2669E04DC18A8DA8F837B9AC622FC69FDE271FF5E6AA958B1544EDD8988F017D3DD83454756812C927A7702B1ED71247E506530A11F21C6
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......~.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):15304
                                                                Entropy (8bit):6.548897063441128
                                                                Encrypted:false
                                                                SSDEEP:192:+AuVYPvVX8rFTsRWYhWyWWFYg7VWQ4eWQBAW+JSdqnajeMoLR9au:TBPvVXLWYhWiBdlaLFAu
                                                                MD5:580D9EA2308FC2D2D2054A79EA63227C
                                                                SHA1:04B3F21CBBA6D59A61CD839AE3192EA111856F65
                                                                SHA-256:7CB0396229C3DA434482A5EF929D3A2C392791712242C9693F06BAA78948EF66
                                                                SHA-512:97C1D3F4F9ADD03F21C6B3517E1D88D1BF9A8733D7BDCA1AECBA9E238D58FF35780C4D865461CC7CD29E9480B3B3B60864ABB664DCDC6F691383D0B281C33369
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@............`.........................................`................0...................!..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l1-2-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11712
                                                                Entropy (8bit):6.622041192039296
                                                                Encrypted:false
                                                                SSDEEP:192:dzWYhW1sWWFYg7VWQ4yWL3sQlmqnajlD4h1N:BWYhW2e6l94h1N
                                                                MD5:35BC1F1C6FBCCEC7EB8819178EF67664
                                                                SHA1:BBCAD0148FF008E984A75937AADDF1EF6FDA5E0C
                                                                SHA-256:7A3C5167731238CF262F749AA46AB3BFB2AE1B22191B76E28E1D7499D28C24B7
                                                                SHA-512:9AB9B5B12215E57AF5B3C588ED5003D978071DC591ED18C78C4563381A132EDB7B2C508A8B75B4F1ED8823118D23C88EDA453CD4B42B9020463416F8F6832A3D
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......./....`.........................................`...L............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-file-l2-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.730719514840594
                                                                Encrypted:false
                                                                SSDEEP:192:/VyWYhWjAWWFYg7VWQ4eWiuNwzNbDXbBqnaj0q:/VyWYhW8g+LbBlwq
                                                                MD5:3BF4406DE02AA148F460E5D709F4F67D
                                                                SHA1:89B28107C39BB216DA00507FFD8ADB7838D883F6
                                                                SHA-256:349A79FA1572E3538DFBB942610D8C47D03E8A41B98897BC02EC7E897D05237E
                                                                SHA-512:5FF6E8AD602D9E31AC88E06A6FBB54303C57D011C388F46D957AEE8CD3B7D7CCED8B6BFA821FF347ADE62F7359ACB1FBA9EE181527F349C03D295BDB74EFBACE
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-handle-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.626458901834476
                                                                Encrypted:false
                                                                SSDEEP:192:P9RWYhWEWWFYg7VWQ4eWncTjxceXqnajLJS:LWYhWk3TjmAlnJS
                                                                MD5:BBAFA10627AF6DFAE5ED6E4AEAE57B2A
                                                                SHA1:3094832B393416F212DB9107ADD80A6E93A37947
                                                                SHA-256:C78A1217F8DCB157D1A66B80348DA48EBDBBEDCEA1D487FC393191C05AAD476D
                                                                SHA-512:D5FCBA2314FFE7FF6E8B350D65A2CDD99CA95EA36B71B861733BC1ED6B6BB4D85D4B1C4C4DE2769FBF90D4100B343C250347D9ED1425F4A6C3FE6A20AED01F17
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0............`.........................................`...`............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-heap-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.577869728469469
                                                                Encrypted:false
                                                                SSDEEP:192:5t6DjZlTIWYhWsWWFYg7VWQ4eW4MtkR/BVrqnajc:5t6Dll0WYhWMqkRLlA
                                                                MD5:3A4B6B36470BAD66621542F6D0D153AB
                                                                SHA1:5005454BA8E13BAC64189C7A8416ECC1E3834DC6
                                                                SHA-256:2E981EE04F35C0E0B7C58282B70DCC9FC0318F20F900607DAE7A0D40B36E80AF
                                                                SHA-512:84B00167ABE67F6B58341045012723EF4839C1DFC0D8F7242370C4AD9FABBE4FEEFE73F9C6F7953EAE30422E0E743DC62503A0E8F7449E11C5820F2DFCA89294
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......M.....`.........................................`................ ...................!..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-interlocked-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11712
                                                                Entropy (8bit):6.6496318655699795
                                                                Encrypted:false
                                                                SSDEEP:192:nWYhWNWWFYg7VWQ4uWtGDlR/BVrqnajcU8:nWYhWLJDlRLlAU8
                                                                MD5:A038716D7BBD490378B26642C0C18E94
                                                                SHA1:29CD67219B65339B637A1716A78221915CEB4370
                                                                SHA-256:B02324C49DD039FA889B4647331AA9AC65E5ADC0CC06B26F9F086E2654FF9F08
                                                                SHA-512:43CB12D715DDA4DCDB131D99127417A71A16E4491BC2D5723F63A1C6DFABE578553BC9DC8CF8EFFAE4A6BE3E65422EC82079396E9A4D766BF91681BDBD7837B1
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......-.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12736
                                                                Entropy (8bit):6.587452239016064
                                                                Encrypted:false
                                                                SSDEEP:192:FvuBL3BBLZWYhWxWWFYg7VWQ4uW4g0jrQYcunYqnajv9Ml:FvuBL3BPWYhWv8jYulhMl
                                                                MD5:D75144FCB3897425A855A270331E38C9
                                                                SHA1:132C9ADE61D574AA318E835EB78C4CCCDDEFDEA2
                                                                SHA-256:08484ED55E43584068C337281E2C577CF984BB504871B3156DE11C7CC1EEC38F
                                                                SHA-512:295A6699529D6B173F686C9BBB412F38D646C66AAB329EAC4C36713FDD32A3728B9C929F9DCADDE562F625FB80BC79026A52772141AD2080A0C9797305ADFF2E
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......V`....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-localization-l1-2-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):14280
                                                                Entropy (8bit):6.658205945107734
                                                                Encrypted:false
                                                                SSDEEP:384:NOMw3zdp3bwjGzue9/0jCRrndbwNWYhW6WAulh2:NOMwBprwjGzue9/0jCRrndbw5D
                                                                MD5:8ACB83D102DABD9A5017A94239A2B0C6
                                                                SHA1:9B43A40A7B498E02F96107E1524FE2F4112D36AE
                                                                SHA-256:059CB23FDCF4D80B92E3DA29E9EF4C322EDF6FBA9A1837978FD983E9BDFC7413
                                                                SHA-512:B7ECF60E20098EA509B76B1CC308A954A6EDE8D836BF709790CE7D4BD1B85B84CF5F3AEDF55AF225D2D21FBD3065D01AA201DAE6C131B8E1E3AA80ED6FC910A4
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......._....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-memory-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12224
                                                                Entropy (8bit):6.621310788423453
                                                                Encrypted:false
                                                                SSDEEP:96:qo1aCFEWYhWwp/DEs39DHDs35FrsvYgmr0DD0ADEs3TDL2L4m2grMWaLNpDEs3OC:teWYhWVWWFYg7VWQ4yWwAKZRqnajl6x7
                                                                MD5:808F1CB8F155E871A33D85510A360E9E
                                                                SHA1:C6251ABFF887789F1F4FC6B9D85705788379D149
                                                                SHA-256:DADBD2204B015E81F94C537AC7A36CD39F82D7C366C193062210C7288BAA19E3
                                                                SHA-512:441F36CA196E1C773FADF17A0F64C2BBDC6AF22B8756A4A576E6B8469B4267E942571A0AE81F4B2230B8DE55702F2E1260E8D0AFD5447F2EA52F467F4CAA9BC6
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0............`.........................................`...l............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.7263193693903345
                                                                Encrypted:false
                                                                SSDEEP:192:cWYhWZSWWFYg7VWQ4eWkcc7ZqnajgnLSp:cWYhW84cllk2p
                                                                MD5:CFF476BB11CC50C41D8D3BF5183D07EC
                                                                SHA1:71E0036364FD49E3E535093E665F15E05A3BDE8F
                                                                SHA-256:B57E70798AF248F91C8C46A3F3B2952EFFAE92CA8EF9640C952467BC6726F363
                                                                SHA-512:7A87E4EE08169E9390D0DFE607E9A220DC7963F9B4C2CDC2F8C33D706E90DC405FBEE00DDC4943794FB502D9882B21FAAE3486BC66B97348121AE665AE58B01C
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0......[.....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12744
                                                                Entropy (8bit):6.601327134572443
                                                                Encrypted:false
                                                                SSDEEP:192:qKWYhWbWWFYg7VWQ4eWYoWjxceXqnajLJe:qKWYhWJ4WjmAlnJe
                                                                MD5:F43286B695326FC0C20704F0EEBFDEA6
                                                                SHA1:3E0189D2A1968D7F54E721B1C8949487EF11B871
                                                                SHA-256:AA415DB99828F30A396CBD4E53C94096DB89756C88A19D8564F0EED0674ADD43
                                                                SHA-512:6EAD35348477A08F48A9DEB94D26DA5F4E4683E36F0A46117B078311235C8B9B40C17259C2671A90D1A210F73BF94C9C063404280AC5DD5C7F9971470BEAF8B7
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......Z....`.........................................`...H............ ...................!..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):14272
                                                                Entropy (8bit):6.519411559704781
                                                                Encrypted:false
                                                                SSDEEP:192:AWXk1JzX9cKSIvWYhWLWWFYg7VWQ4SWW0uI7oinEqnajxMyqY:AWXk1JzNcKSIvWYhW5+uOEle6
                                                                MD5:E173F3AB46096482C4361378F6DCB261
                                                                SHA1:7922932D87D3E32CE708F071C02FB86D33562530
                                                                SHA-256:C9A686030E073975009F993485D362CC31C7F79B683DEF713E667D13E9605A14
                                                                SHA-512:3AAFEFD8A9D7B0C869D0C49E0C23086115FD550B7DC5C75A5B8A8620AD37F36A4C24D2BF269043D81A7448C351FF56CB518EC4E151960D4F6BD655C38AFF547F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0......%C....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-processthreads-l1-1-1.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.659079053710614
                                                                Encrypted:false
                                                                SSDEEP:192:NtxDfIeA6WYhW7WWFYg7VWQ4eWpB5ABzR/BVrqnajcb:NtxDfIeA6WYhWp28RLlA
                                                                MD5:9C9B50B204FCB84265810EF1F3C5D70A
                                                                SHA1:0913AB720BD692ABCDB18A2609DF6A7F85D96DB3
                                                                SHA-256:25A99BDF8BF4D16077DC30DD9FFEF7BB5A2CEAF9AFCEE7CF52AD408355239D40
                                                                SHA-512:EA2D22234E587AD9FA255D9F57907CC14327EAD917FDEDE8B0A38516E7C7A08C4172349C8A7479EC55D1976A37E520628006F5C362F6A3EC76EC87978C4469CD
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......6y....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-profile-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11200
                                                                Entropy (8bit):6.7627840671368835
                                                                Encrypted:false
                                                                SSDEEP:192:clIHyZ36WYhWulWWFYg7VWQ4yWqeQDbLtsQlmqnajlDC:clIHyZKWYhWKhlbp6l9C
                                                                MD5:0233F97324AAAA048F705D999244BC71
                                                                SHA1:5427D57D0354A103D4BB8B655C31E3189192FC6A
                                                                SHA-256:42F4E84073CF876BBAB9DD42FD87124A4BA10BB0B59D2C3031CB2B2DA7140594
                                                                SHA-512:8339F3C0D824204B541AECBD5AD0D72B35EAF6717C3F547E0FD945656BCB2D52E9BD645E14893B3F599ED8F2DE6D3BCBEBF3B23ED43203599AF7AFA5A4000311
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0.......>....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12224
                                                                Entropy (8bit):6.590253878523919
                                                                Encrypted:false
                                                                SSDEEP:192:4GeVvXK9WYhW1WWFYg7VWQ4yWj6k50IsQlmqnajlDl:4GeVy9WYhWzVk6l9l
                                                                MD5:E1BA66696901CF9B456559861F92786E
                                                                SHA1:D28266C7EDE971DC875360EB1F5EA8571693603E
                                                                SHA-256:02D987EBA4A65509A2DF8ED5DD0B1A0578966E624FCF5806614ECE88A817499F
                                                                SHA-512:08638A0DD0FB6125F4AB56E35D707655F48AE1AA609004329A0E25C13D2E71CB3EDB319726F10B8F6D70A99F1E0848B229A37A9AB5427BFEE69CD890EDFB89D2
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......S....`.........................................`................ ...................!..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-string-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.672720452347989
                                                                Encrypted:false
                                                                SSDEEP:192:byMvQWYhW5fWWFYg7VWQ4eWio3gDwcunYqnajv9JS:byMvQWYhW/BXwulhw
                                                                MD5:7A15B909B6B11A3BE6458604B2FF6F5E
                                                                SHA1:0FEB824D22B6BEEB97BCE58225688CB84AC809C7
                                                                SHA-256:9447218CC4AB1A2C012629AAAE8D1C8A428A99184B011BCC766792AF5891E234
                                                                SHA-512:D01DD566FF906AAD2379A46516E6D060855558C3027CE3B991056244A8EDD09CE29EACEC5EE70CEEA326DED7FC2683AE04C87F0E189EBA0E1D38C06685B743C9
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......g....`.........................................`................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):13760
                                                                Entropy (8bit):6.575688560984027
                                                                Encrypted:false
                                                                SSDEEP:192:L1dv3V0dfpkXc2MAvVaoKKDWYhWTJWWFYg7VWQ4uWoSUtpwBqnajrmaaGWpmJ:Zdv3V0dfpkXc0vVaeWYhWj/qlQGWpmJ
                                                                MD5:6C3FCD71A6A1A39EAB3E5C2FD72172CD
                                                                SHA1:15B55097E54028D1466E46FEBCA1DBB8DBEFEA4F
                                                                SHA-256:A31A15BED26232A178BA7ECB8C8AA9487C3287BB7909952FC06ED0D2C795DB26
                                                                SHA-512:EF1C14965E5974754CC6A9B94A4FA5107E89966CB2E584CE71BBBDD2D9DC0C0536CCC9D488C06FA828D3627206E7D9CC8065C45C6FB0C9121962CCBECB063D4F
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0............`.........................................`...X............ ...................!..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-synch-l1-2-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.70261983917014
                                                                Encrypted:false
                                                                SSDEEP:192:ztZ3XWYhW3WWFYg7VWQ4eWNnpit7ZqnajgnLSl:ztZ3XWYhWVg+llk2
                                                                MD5:D175430EFF058838CEE2E334951F6C9C
                                                                SHA1:7F17FBDCEF12042D215828C1D6675E483A4C62B1
                                                                SHA-256:1C72AC404781A9986D8EDEB0EE5DD39D2C27CE505683CA3324C0ECCD6193610A
                                                                SHA-512:6076086082E3E824309BA2C178E95570A34ECE6F2339BE500B8B0A51F0F316B39A4C8D70898C4D50F89F3F43D65C5EBBEC3094A47D91677399802F327287D43B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0......G.....`.........................................`...x............ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12744
                                                                Entropy (8bit):6.599515320379107
                                                                Encrypted:false
                                                                SSDEEP:192:fKIMFFyWYhW6WWFYg7VWQ4eWoVjxceXqnajLJ4:fcyWYhWKRjmAlnJ4
                                                                MD5:9D43B5E3C7C529425EDF1183511C29E4
                                                                SHA1:07CE4B878C25B2D9D1C48C462F1623AE3821FCEF
                                                                SHA-256:19C78EF5BA470C5B295DDDEE9244CBD07D0368C5743B02A16D375BFB494D3328
                                                                SHA-512:C8A1C581C3E465EFBC3FF06F4636A749B99358CA899E362EA04B3706EAD021C69AE9EA0EFC1115EAE6BBD9CF6723E22518E9BEC21F27DDAAFA3CF18B3A0034A7
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-timezone-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.690164913578267
                                                                Encrypted:false
                                                                SSDEEP:192:4EWYhWdWWFYg7VWQ4eWvvJ6jxceXqnajLJn:4EWYhWbwYjmAlnJ
                                                                MD5:43E1AE2E432EB99AA4427BB68F8826BB
                                                                SHA1:EEE1747B3ADE5A9B985467512215CAF7E0D4CB9B
                                                                SHA-256:3D798B9C345A507E142E8DACD7FB6C17528CC1453ABFEF2FFA9710D2FA9E032C
                                                                SHA-512:40EC0482F668BDE71AEB4520A0709D3E84F093062BFBD05285E2CC09B19B7492CB96CDD6056281C213AB0560F87BD485EE4D2AEEFA0B285D2D005634C1F3AF0B
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0.......d....`.........................................`...H............ ...................!..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-core-util-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):11720
                                                                Entropy (8bit):6.615761482304143
                                                                Encrypted:false
                                                                SSDEEP:192:dZ89WYhWFWWFYg7VWQ4eW5QLyFqnajziMOci:dZ89WYhWDnolniMOP
                                                                MD5:735636096B86B761DA49EF26A1C7F779
                                                                SHA1:E51FFBDDBF63DDE1B216DCCC753AD810E91ABC58
                                                                SHA-256:5EB724C51EECBA9AC7B8A53861A1D029BF2E6C62251D00F61AC7E2A5F813AAA3
                                                                SHA-512:3D5110F0E5244A58F426FBB72E17444D571141515611E65330ECFEABDCC57AD3A89A1A8B2DC573DA6192212FB65C478D335A86678A883A1A1B68FF88ED624659
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......Xc....`.........................................`...<............ ...................!..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-conio-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12744
                                                                Entropy (8bit):6.627282858694643
                                                                Encrypted:false
                                                                SSDEEP:192:R0WYhWRWWFYg7VWQ4eWLeNxUUtpwBqnajrmaaG:R0WYhWPzjqlQG
                                                                MD5:031DC390780AC08F498E82A5604EF1EB
                                                                SHA1:CF23D59674286D3DC7A3B10CD8689490F583F15F
                                                                SHA-256:B119ADAD588EBCA7F9C88628010D47D68BF6E7DC6050B7E4B787559F131F5EDE
                                                                SHA-512:1468AD9E313E184B5C88FFD79A17C7D458D5603722620B500DBA06E5B831037CD1DD198C8CE2721C3260AB376582F5791958763910E77AA718449B6622D023C7
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0......a.....`.........................................0................ ...................!..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-convert-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):15816
                                                                Entropy (8bit):6.435326465651674
                                                                Encrypted:false
                                                                SSDEEP:192:JM0wd8dc9cydWYhWyWWFYg7VWQ4eW9jTXfH098uXqnajH/VCf:G0wd8xydWYhWi2bXuXlTV2
                                                                MD5:285DCD72D73559678CFD3ED39F81DDAD
                                                                SHA1:DF22928E43EA6A9A41C1B2B5BFCAB5BA58D2A83A
                                                                SHA-256:6C008BE766C44BF968C9E91CDDC5B472110BEFFEE3106A99532E68C605C78D44
                                                                SHA-512:84EF0A843798FD6BD6246E1D40924BE42550D3EF239DAB6DB4D423B142FA8F691C6F0603687901F1C52898554BF4F48D18D3AEBD47DE935560CDE4906798C39A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@.......5....`.........................................0................0...................!..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-environment-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):12232
                                                                Entropy (8bit):6.5874576656353145
                                                                Encrypted:false
                                                                SSDEEP:192:6KNMWYhW6WWFYg7VWQ4eWSA5lJSdqnajeMh3:6KNMWYhWKiKdlaW
                                                                MD5:5CCE7A5ED4C2EBAF9243B324F6618C0E
                                                                SHA1:FDB5954EE91583A5A4CBB0054FB8B3BF6235EED3
                                                                SHA-256:AA3E3E99964D7F9B89F288DBE30FF18CBC960EE5ADD533EC1B8326FE63787AA3
                                                                SHA-512:FC85A3BE23621145B8DC067290BD66416B6B1566001A799975BF99F0F526935E41A2C8861625E7CFB8539CA0621ED9F46343C04B6C41DB812F58412BE9C8A0DE
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ...................!..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):13768
                                                                Entropy (8bit):6.645869978118917
                                                                Encrypted:false
                                                                SSDEEP:192:CGnWlC0i5ClWYhWwWWFYg7VWQ4eWtOUtpwBqnajrmaaGN4P:9nWm5ClWYhWQ8qlQGN6
                                                                MD5:41FBBB054AF69F0141E8FC7480D7F122
                                                                SHA1:3613A572B462845D6478A92A94769885DA0843AF
                                                                SHA-256:974AF1F1A38C02869073B4E7EC4B2A47A6CE8339FA62C549DA6B20668DE6798C
                                                                SHA-512:97FB0A19227887D55905C2D622FBF5451921567F145BE7855F72909EB3027F48A57D8C4D76E98305121B1B0CC1F5F2667EF6109C59A83EA1B3E266934B2EB33C
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0.......(....`.........................................0................ ...................!..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_date_time.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):61176
                                                                Entropy (8bit):5.850944458899023
                                                                Encrypted:false
                                                                SSDEEP:1536:8dAqjxlblBAeX9cMPqnLQmnSPFCCBXuk9:8d1l59cJbSNZBXuO
                                                                MD5:3B02A4FCAAC283D3C5E082B62F88BE25
                                                                SHA1:C230237FA2BEF46A4C9649871EE46BBA89958C4E
                                                                SHA-256:D02FB06775ED21CE1124C5A9BA42D7E00872C4CAF3933F0852FFD98591EE9790
                                                                SHA-512:9FE3ACDC6CDC51F56AB205A669F3865FB18DA79750A62E896615AF98F4D37B4A5DADB898126B421133CBD86805A1A84D1C92A429F88AA2152D07939BEBEB93B0
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........'.X.F...F...F...>O..F.......F.......F.......F.......F.......F...F...F..-/...F..-/...F..-/#..F...FK..F..-/...F..Rich.F..........PE..d.....-a.........." .....X...|.......Y.................................................... .....................................................x.......h.......................0...P...T.......................(....................p..X............................text....V.......X.................. ..`.rdata...X...p...Z...\..............@..@.data...............................@....pdata..............................@..@.rsrc...h...........................@..@.reloc..0...........................@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_filesystem.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):127224
                                                                Entropy (8bit):6.217127607919178
                                                                Encrypted:false
                                                                SSDEEP:1536:KOMFt1bvZ+4WYoIW9YAlqlEO/NiuE0PJmISN10ZpzdUAsSAl9/mEzuEVvHV7Gvru:fMFZ+4azlqlEO/0d0PkIxPYGX6
                                                                MD5:ABDA3CF0D286D6CC5EC2CB1B49DBC180
                                                                SHA1:85CA9C24AD7CF07830E86607723770645D724C28
                                                                SHA-256:5549E8D3C90AFC8A90558529FE0127CE8A36805D853ED2BBD2A832E497D07405
                                                                SHA-512:AF813D4529C7971C6427E84C21275F2D703495E8BCDE72112ED400FCF2BFD64D1E3754E7A8D95A4D1953472C3C9821EF0444CD844F02AE31FA2C5FA8D93E66CF
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........'y.fI*.fI*.fI*...*.fI*..M+.fI*..J+.fI*..L+.fI*..H+.fI*..H+.fI*..H+.fI*.fH*.fI*..L+.fI*..I+.fI*...*.fI*.f.*.fI*..K+.fI*Rich.fI*................PE..d.....-a.........." ......................................................... ............ ..........................................x..|B..............p.......@...............D....>..T...................0@..(...0?............... ...............................text...p........................... ..`.rdata....... ......................@..@.data...............................@....pdata..@...........................@..@.rsrc...p...........................@..@.reloc..D...........................@..B................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_program_options.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):418040
                                                                Entropy (8bit):6.1735291180760505
                                                                Encrypted:false
                                                                SSDEEP:6144:vJXvKtM+eZLmd2Mht6hBj2+1J3Hw2iojntPqbmdv0Pz:vJXvcMRZLmd2Mht6hBj3A2iW8WO
                                                                MD5:1CC74B77B1A0B6F14B19F45412D62227
                                                                SHA1:25C8D5B1DD13C826AC97995E2265E7960877A869
                                                                SHA-256:1314E7F48DCFAA9ED62AD80C19D4EAD856C6D216D6F80B8EFA1A3803087C506A
                                                                SHA-512:CA88D9DB167FEE11DCF88FD365DBAEF9E2704996E622F1523943C5AF54D6AE2546D860DB86B20757C89FA52E4140D474EB0EA4A69042AA4CAAF6125E0D5381D9
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+ ..Es..Es..Es...s..Es..Ar..Es..Fr..Es..@r..Es..Dr..Es..Dr..Es..Ds(.Es..@r..Es..Er..Es..s..Es...s..Es..Gr..EsRich..Es........PE..d.....-a.........." .........:.......................................................4.... .........................................`n...T...........p.......0..d2...D.................T...................0...(...0................ ...............................text...\........................... ..`.rdata..h.... ......................@..@.data....7.......0..................@....pdata..d2...0...4..................@..@.rsrc........p.......8..............@..@.reloc...............>..............@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_regex.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):698104
                                                                Entropy (8bit):6.463466021766765
                                                                Encrypted:false
                                                                SSDEEP:12288:rtCgw2rHcLfk4heNe39mSOWE64h/5+JLkxBdmmVaSV:JCglHsfb9vzE64h/CAxBdmmVaSV
                                                                MD5:087DAF44CD13B79E4D59068B3A1C6250
                                                                SHA1:653FB242A44C7742764C77D8249D00DDDC1C867E
                                                                SHA-256:7AAFC98B0189C4DB66E03EC69B0DA58E59F5728FA9C37F7A61D1531E4D146FD6
                                                                SHA-512:3BB7494191EDDA18416B425762EA35B1C614CA420E6D0A8BBA5B9749C453F2552435FC97CF4532E088BBEC2B57A7DC9F782F7C7CEC67F96A33511C367F6A5052
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........>.B.P.B.P.B.P.K...N.P...T.J.P...S.@.P...U.Z.P...Q.F.P...Q.G.P.B.Q...P..U.P.P..P.C.P...C.P.B...C.P..R.C.P.RichB.P.........................PE..d.....-a.........." ................l................................................s.... ..........................................7..T...4...........X....`...D...................Q..T...................@S..(...@R..................H............................text............................... ..`.rdata...V.......X..................@..@.data...`(...0..."..................@....pdata...D...`...F...6..............@..@.rsrc...X............|..............@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_system.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):31480
                                                                Entropy (8bit):5.969706735107452
                                                                Encrypted:false
                                                                SSDEEP:384:rTnmLAtoAmXkI4WW9jLU7gJX5ZGz/5UtxcNPMUyZJKSm/dAgZsHL4DhAm:noxXzI5Z05uqlyEiRUhR
                                                                MD5:CC2C7E9435E8F818F3114AEFCC84E053
                                                                SHA1:F106C5EEAA3545CB85BA1217F40E4AE8F047E69E
                                                                SHA-256:59415F12FF688B58C9180A545F4836A4C2DDF472C232B3BE9FAB7965F9980924
                                                                SHA-512:316D0F0374DA2818CC1A83A6F8BE8E70CCCC2D9F37DB54DF9322FF26FF436EB18532CEB549F286E569E1A6B82BA1345FFE4A7ADC678AE450FC5C3C637F24259D
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?...{...{...{...r.e.....)...h...)...s...)...y...)....... ...x...{...E......y......z......z...{.a.z......z...Rich{...........PE..d.....-a.........." .....,...4......@0................................................... ..........................................T......tU..x.......`....p.......^..............0F..T....................G..(....F...............@...............................text....*.......,.................. ..`.rdata.......@.......0..............@..@.data...h....`.......N..............@....pdata.......p.......R..............@..@.rsrc...`............V..............@..@.reloc...............\..............@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\boost_threads.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):103672
                                                                Entropy (8bit):5.851546804507911
                                                                Encrypted:false
                                                                SSDEEP:1536:DkEZwX0tTbIIJdLJABqKSimO9K64vaO4WpgXyhchiUKcvKXMnVOlVS:QErbXvAxO41yhcBvKXwaVS
                                                                MD5:129051E3B7B8D3CC55559BEDBED09486
                                                                SHA1:E257D69C91594C623A8649AC3F76DC4B0C4D8EDF
                                                                SHA-256:73BFA0700A1C1631483D1ADC79A5225066A28A5CA94D70267DE6B0573BF11BDF
                                                                SHA-512:6DCF486B58A0C8E16CB0A2A0B7C53812275DF7E55CEBE94B645517D2A061A67CA3B9CFDDA4F94E89BE57D3B629540C4A45DD153EF84DB90E46D06257A936831A
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........X..............&........................................&.............&......&......&.J.......".....&......Rich............................PE..d.....-a.........." ................4...............................................:..... ..........................................J.......[..........`............x..............`...T.......................(....................................................text............................... ..`.rdata.............................@..@.data........p.......N..............@....pdata...............\..............@..@.rsrc...`............n..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):57488
                                                                Entropy (8bit):6.382541157520703
                                                                Encrypted:false
                                                                SSDEEP:768:eQ6XULhGj8TzwsoeZwVAsuEIBh8v6H3eQdFyN+yghK3m5rR8vSoQuSd:ECVbTGkiE/c+XA3g2L7S
                                                                MD5:71F796B486C7FAF25B9B16233A7CE0CD
                                                                SHA1:21FFC41E62CD5F2EFCC94BAF71BD2659B76D28D3
                                                                SHA-256:B2ACB555E6D5C6933A53E74581FD68D523A60BCD6BD53E4A12D9401579284FFD
                                                                SHA-512:A82EA6FC7E7096C10763F2D821081F1B1AFFA391684B8B47B5071640C8A4772F555B953445664C89A7DFDB528C5D91A9ADDB5D73F4F5E7509C6D58697ED68432
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l............uU.....x.....x.....x....{...........ox....ox9....ox....Rich...........................PE..d......d.........."......f...N......p).........@....................................2.....`.....................................................................P........(......d.......T...............................8............................................text....e.......f.................. ..`.rdata...6.......8...j..............@..@.data...............................@....pdata..P...........................@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..d...........................@..B................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):4664568
                                                                Entropy (8bit):6.259383987199329
                                                                Encrypted:false
                                                                SSDEEP:49152:AroFmAk9nrwChDI061WcO0ABWmIex2MvOGL//VCsHqwApmqamnBObTETCAtdB8n:0tI0OWiVmIek+QpmqtB+9
                                                                MD5:A6A89F55416DB79D9E13B82685A04D60
                                                                SHA1:EDE6DE1377BBE28E1F0D0DEF095367F1E788FE3B
                                                                SHA-256:22D7C730C0092CDE5E339276F45882ACF4E172269153C6A328D83314DBACEF4B
                                                                SHA-512:D2A734AE3ACC3033C050634839E32F90AE29862D77EC28B87945D62D44562ED56AC2A4266BC70F0F42CACCC0A7D93B07E2B42D7FFCEFE2F599A6A9DC2F26C583
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........$n..J=..J=..J=...=..J=..N<..J=..I<..J=..O<..J=..K<..J=..N<..J=..L<..J=..K<..J=..K<..J=..K=i.J=..N<..J=..O<U.J=..J<..J=..=..J=...=..J=..H<..J=Rich..J=................PE..d.....-a.........." ......+..........f(.......................................I.......H... ..........................................7>.8.....A......@I.......G......G......PI..F....1.T...................0.1.(...0.1...............+..............................text.....+.......+................. ..`.rdata.......+.......+.............@..@.data....'...`B......DB.............@....pdata.......G.......E.............@..@.rsrc........@I.......F.............@..@.reloc...F...PI..H....F.............@..B........................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):215288
                                                                Entropy (8bit):6.050529290720027
                                                                Encrypted:false
                                                                SSDEEP:3072:emvBIfdYtwUTAgsHW0Akz0dMtTWYUQ4TyjEXv8pQxI88hw:ekBIATA1z7tTzovXv8Kxzj
                                                                MD5:BF5EE5008353BB5C52DCF8821082CE6B
                                                                SHA1:F85B517F96FE87D953925D05238345A03594C8F8
                                                                SHA-256:9273A49CAC32ACA5358A77D41DE00FEB589ED3285B2B2E07E9CE9CEBF80BAA31
                                                                SHA-512:B5862D1679AB4F44B228C3E52F5CB98616BF089BAD5EC3BBB63ABDCABDDB55C71C36628E2945C7460AA33F836D85A1A320BF2C704072B307A3B719CD3C6A8549
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........[..5...5...5......5...1...5...6...5...0...5...4...5...4...5.#.4...5...4.-.5.#.0...5.#.5...5.#....5.......5.#.7...5.Rich..5.........PE..d.....-a.........." .........j...............................................p............ ..............................................!...........P..h....0.......,.......`..........T...........................@................................................text............................... ..`.rdata..............................@..@.data....$..........................@....pdata.......0... ..................@..@.rsrc...h....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ghiuoqfj.rar

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:RAR archive data, v5
                                                                Category:dropped
                                                                Size (bytes):401230
                                                                Entropy (8bit):7.999492172245776
                                                                Encrypted:true
                                                                SSDEEP:12288:YakD+GL+4gN52TCUJ7U5UNA69AHMrycxV1e4C:Y+G64gN52WecUV+HCyIVjC
                                                                MD5:DD021791A8B4491C6157F2DB06542734
                                                                SHA1:F4E56EE60103298C29BEEBF2B748AACA556BBF5E
                                                                SHA-256:167126AAA9D4EB676B218DD3FA236AA2A18A955DB9B090A66438721BBF84C376
                                                                SHA-512:08165F16975D8DCDCE35CA1D1392E57CE6202C3E35B9F233ED033F3E75C6FBC094B2E8447EBAF955B14498316163328F1719469BE58775CA8FFF2C38DF33198F
                                                                Malicious:false
                                                                Preview:Rar!....2.y.!......<.(.1...S......../^ p..:.!.F].9.^w..2....t5RH..-zzrh1A...!..U..y.....;.y...RPV..6Z..F.4..[....7..r..3.C..^..WN].'..TNU.%..k.@54qP..Q....s.OQ...F.;........<|.g.....Z.w{.k.[..Z_.n...0...i..fC&............c.A....=vr..(O.MB.nfue/.9jS;HkW.Q=I1i..Q.......`S.g.S.o....E..=... ...^..{.......t.....sF..U.w.n.dCA........d.mf....X2..%..@......4........Z.s...7..+2..5#C.,d...m#J.m...{[f...^..]6......M....).Lch8..vr4*...CKt.f.Yz'd...N.,...4..6..7q].....\..i.n/r..m.....#".P.d.,U.g........y..YwEY.....k......\.J..k.....|..(......v).../.l.Z..K......0.o.}..... ...T`c.=.k...!.....Z......'..l..'.e,B.V"&F.T...A...a..32....8~e8...>%...Bf..?.......=................(..Q...N{.<48*.Uj...n.6..*..g.BK..q5CX...<.1{.7..D..n...9....q.7._4....]..r.dB...T..*...X... ....!8...F...Y..:.e...R......f.P...%S!..>^..Xdq2..[d..i...z.Z..q..9._.w=q.{...N..i.[.)..e.c7-I..G)..X.i0..+.Z7t.....&j'k.{9..\.!.M.H.`|.j.......C,d,.{....|.......!.T...&3..?.V|

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\msvcp140.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):566704
                                                                Entropy (8bit):6.494428734965787
                                                                Encrypted:false
                                                                SSDEEP:12288:M/Wn7JnU0QUgqtLe1fqSKnqEXG6IOaaal7wC/QaDWxncycIW6zuyLQEKZm+jWodj:yN59IW6zuAQEKZm+jWodEEY1u
                                                                MD5:6DA7F4530EDB350CF9D967D969CCECF8
                                                                SHA1:3E2681EA91F60A7A9EF2407399D13C1CA6AA71E9
                                                                SHA-256:9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA
                                                                SHA-512:1F77F900215A4966F7F4E5D23B4AAAD203136CB8561F4E36F03F13659FE1FF4B81CAA75FEF557C890E108F28F0484AD2BAA825559114C0DAA588CF1DE6C1AFAB
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O.....O.....O.....O.6....O.....Rich...........................PE..d...%|.a.........." .....<...\.......)...................................................`A.........................................5..h...(...,............p...9...~...'......0.......T...............................8............P...............................text....;.......<.................. ..`.rdata..j....P.......@..............@..@.data...`:...0......................@....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):22
                                                                Entropy (8bit):3.879664004902594
                                                                Encrypted:false
                                                                SSDEEP:3:mKDDlR+7H6U:hOD6U
                                                                MD5:D9324699E54DC12B3B207C7433E1711C
                                                                SHA1:864EB0A68C2979DCFF624118C9C0618FF76FA76C
                                                                SHA-256:EDFACD2D5328E4FFF172E0C21A54CC90BAF97477931B47B0A528BFE363EF7C7E
                                                                SHA-512:E8CC55B04A744A71157FCCA040B8365473C1165B3446E00C61AD697427221BE11271144F93F853F22906D0FEB61BC49ADFE9CBA0A1F3B3905E7AD6BD57655EB8
                                                                Malicious:false
                                                                Preview:@echo off..Start "" %1

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes.jsa

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):12124160
                                                                Entropy (8bit):4.1175508751036585
                                                                Encrypted:false
                                                                SSDEEP:49152:opbNLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8p8j:o9NDU1eB1
                                                                MD5:8A13CBE402E0BBF3DA56315F0EBA7F8E
                                                                SHA1:EE8B33FA87D7FA04B9B7766BCF2E2C39C4F641EA
                                                                SHA-256:7B5E6A18A805D030779757B5B9C62721200AD899710FF930FC1C72259383278C
                                                                SHA-512:46B804321AB1642427572DD141761E559924AF5D015F3F1DD97795FB74B6795408DEAD5EA822D2EB8FBD88E747ECCAD9C3EE8F9884DFDB73E87FAD7B541391DA
                                                                Malicious:false
                                                                Preview:.................*.\.....................................+................................Ol.....................................">.............................d..3......................A.......@...... t.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\classes_nocoops.jsa

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):12124160
                                                                Entropy (8bit):4.117842215789484
                                                                Encrypted:false
                                                                SSDEEP:49152:lIsY5NLHjtBKapOZoWPQ8MQvfyf3t+WpskQS+ZSZmpPwoe5GOSwleJiXACPQDk8v:lYNDUK7k59
                                                                MD5:8DD2CDF8B1702DEE25F4BC2DCE10DA8F
                                                                SHA1:7AE8D142C41159D65C7AB9598C90EC1DF33138D1
                                                                SHA-256:B19E92D742D8989D275BB34FB7828211969997D38FF9250D9561F432D5C5F62C
                                                                SHA-512:6CEBD788559543623A3F54154F6C84E31A9716CFFA19D199087F0704CC9016F54CF0B3CFF6D8DB65428138EEB12553B23EBA7EDAF5B64A050A077DD2951286B0
                                                                Malicious:false
                                                                Preview:....j..L.........*.\.....................................+..............................j..-.....................................!>.............................|<:.......................A.......@...... t...............................".....................................................................................................................................................................................................................................................................................................................................................................................................................................(#......(............... ................Java HotSpot(TM) 64-Bit Server VM (15.0.1+9-18) for windows-amd64 JRE (15.0.1+9-18), built on Sep 15 2020 14:43:54 by "mach5one" with unknown MS VC++:1925....................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.datatransfer.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):51389
                                                                Entropy (8bit):7.916683616123071
                                                                Encrypted:false
                                                                SSDEEP:768:GO5DN7hkJDEnwQm0aCDOdC4Lk1eo8eNEyu/73vVjPx5S+3TYWFwSvZt6xdWDvw:GO5h7hkREnyvo8QBuDNjfvD1/3vw
                                                                MD5:8F4C0388762CD566EAE3261FF8E55D14
                                                                SHA1:B6C5AA0BBFDDE8058ABFD06637F7BEE055C79F4C
                                                                SHA-256:AAEFACDD81ADEEC7DBF9C627663306EF6B8CDCDF8B66E0F46590CAA95CE09650
                                                                SHA-512:1EF4D8A9D5457AF99171B0D70A330B702E275DCC842504579E24FC98CC0B276F8F3432782E212589FC52AA93BBBC00A236FE927BE0D832DD083E8F5EBDEB67C2
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classeP.N.0..../.$...pAM.D.p..!!..X...m.d'.....P7...biw..Y.?._...pM.m..X.q..2.D8o...o.0.J.s...,...".'..>..F..r..M..G.L......!.je.BG....:v.;..a@...Y...3..?.Y....\.m.).CBwn......'.N..+G+^*#.j...R.A..qV.1o...p.....|._.-N$.!.;X....|....G......qi.W{PK...^0.........PK.........n/Q............-...classes/java/awt/datatransfer/Clipboard.class.X.w.W....c...-.Ii...#.P..........@(`.......3.....R...........<....h..W.z......=.=~....l..DN..............;y.@7..#....2.P.._.WR.b.Km..f......9w1T...A.....d..b.r.Ie.Gq,..U+.kcC.be.*.eTe......K3.usU.2...Pe.4T.aYz....>!..q..3.dL.Q..fh/#..P.t.;.f,.."..7..v.(..K7}.2nZ;.Mg..OuzU..c.....!wR.xz....7...tG..d.ED..3...fs.{n\...x...r.!.#X.6.Ke.v........1n.P......#..P...J....)^.dt....k...k...F5...e$.d...=~Do.*t.2....KX....B.#Ha..U2n.j...+fh&....&.zk,.....>...aQ......kj...:.h.Q.uTv.B ......N....*..r'..x..D.4.`k 76fZ....fG..#.....7.4.:w..6....#...x..>lfh.B'.....'l..V.....5..H..

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.desktop.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):12133334
                                                                Entropy (8bit):7.944474086295981
                                                                Encrypted:false
                                                                SSDEEP:196608:h6fa1BzmQR9sZTGVq8B4ISiOCC0SabOyigGRA7OtuPZIWeXB:6a1gk+8B4IS8S2OyiJRA7OtYZaB
                                                                MD5:E3705B15388EC3BDFE799AD5DB80B172
                                                                SHA1:0B9B77F028727C73265393A68F37FC69C30205BD
                                                                SHA-256:BE59AC0E673827B731CF5616B41DA11581A5863285FEA1A0696AA4F93796BCC3
                                                                SHA-512:CA44B3E7658232FCC19C9AD223455F326D34B17384E566B8CAF0F7409D71B2B86F4089BF4A35128EC6CFFE080DF84C69C72C22B230FB0F2F8CB345442318F737
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.X...e../.l.!..!.#..M..."..g..#.B.........0;{.AAD.EE..QQQ.aG....{.]....7......~.{....k...{....<HD...4.......x%?G.4_St.Z...\..].+c..t.t........iC./...gZ..].8C..D'M...\3.+~5......z.<.f1..2.v./.As.Lv.....`2.M%...d.h..S`....YC.....D.u0-l.V#.5.,.e..)[..[.v..*............d.I...A........A+&."..8g.)"..E..1!.Z.]....Ak..5.......<'..L8bC..V4.U2.~$...i....)."I...O...d:......@..S...w0m...-....2..x....z.....O....k.8.}....P.....=..I/...<../.d..k....43VL.i...........C.S|`..!b.8....3.Ey..S..e..+.../T..j...g..B.@q9.."..>.LU..2-i....-.!....Z....g.BGl.j..R...Z.D.YJ.Kd...9 l.FN4.Rk.22..b..Rn...u..x.,...j.I.aZ.....X[{L.e..Z#..`.Z...*8..[.p..0.(...j..W..-M...V..H7.c.KN...5e.."...t[um..R...UF.c..1.....z|z.EeO..j..k.V..\x.8.....et;.9.^.Pa..+......U....Iu.q.t....HY.g...q.......omK...FKr1.F..F?.i.d../.]....68..L.........W..s.CU.|y.....zE..Q\...82..W.i[.#Q..xm......P..u.<.#...yC...,........~B..|sF.

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.instrument.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):41127
                                                                Entropy (8bit):7.961466748192397
                                                                Encrypted:false
                                                                SSDEEP:768:L0xH2Z5C7/c8GqFsHWShYYptTpmPSB4gTQSq4Yz1jHoAsbjX:wxH66/crqiH3tTVTsSVYz1jIAsfX
                                                                MD5:D039093C051B1D555C8F9B245B3D7FA0
                                                                SHA1:C81B0DAEDAB28354DEA0634B9AE9E10EE72C4313
                                                                SHA-256:4A495FC5D119724F7D40699BB5D2B298B0B87199D09129AEC88BBBDBC279A68D
                                                                SHA-512:334FD85ACE22C90F8D4F82886EEF1E6583184369A031DCEE6E0B6624291F231D406A2CEC86397C1B94D535B36A5CF7CB632BB9149B8518B794CBFA1D18A2478F
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classU.M..0..../..........LL...*A.$.t.\x..e,U.N.N..7o.....=B+..,.@..:.`.....`....L.,.".B.M......:...._..uBGf.5.M..g..."..8K\..B.".z..|=6.=1.KB..v,.yJ0/......[.r..OU`....Q}...kP.94oh...b..K{...].'PK........#...PK.........n/Q............2...classes/java/lang/instrument/ClassDefinition.class.SMo.@.}.8q.4M.@.h..b;... ..d.RP$.c...#g...#@.....@.G..........7o.......@.-..J.T.eT..'.......tt.=.P9.C_t.J.5... ...Y...z|*.(..TE...e.....(.......v?pg....<...I.1.:....H.U...1.)..p...P.......|...04..Q..2...%..8~.......#..p"...n..<.Uq..=..:.c..1.2...x.o.w..#....^?q.I..:..Y...6...N..c..>2.k.U...L..&V.H...%....y...[.~GJ...B/M......%...t....+.I.E....H..}....m..j_..8C...:.n...(*..z..Z.Q...$....a.}..T.xW.$....52...T.o..mSL_~.L.FM....W.z.I.]....)..e.....A..$..xH...Td...0i..."...0X....PK..X..~........PK.........n/Q............7...classes/java/lang/instrument/ClassFileTransformer.class.S.n.@.=.8.M.n..b^-/..G..

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.logging.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):113725
                                                                Entropy (8bit):7.928841651831531
                                                                Encrypted:false
                                                                SSDEEP:3072:6jB5A+VPT8IdtpHAUfEzhLpIrxbt2rlnH6:6ZRTPHgU2pItshH6
                                                                MD5:3A03EF8F05A2D0472AE865D9457DAB32
                                                                SHA1:7204170A08115A16A50D5A06C3DE7B0ADB6113B1
                                                                SHA-256:584D15427F5B0AC0CE4BE4CAA2B3FC25030A0CF292F890C6D3F35836BC97FA6D
                                                                SHA-512:1702C6231DAAB27700160B271C3D6171387F89DA0A97A3725B4B9D404C94713CB09BA175DE8E78A8F0CBD8DD0DD73836A38C59CE8D1BD38B4F57771CF9536E77
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.classuQ.N.1.=W......n\1.D.5$&....T...2%....\..~..3(......9.6...o....%..:L...x.=..p..L.......".Gm......*..Z9.R+...}x..$.Y,,..-..z..{.v.K..:9m[.dl....Q#t..F$:5c..h.*.^x".8 \N..A!....O....@.0.Z....p]......0_(.mB...=.J..<.k"4....g<......M$,....:Kz|..^.........8q..{...}.*G....p.S.W...l.M.....PK..R...).......PK.........n/Q................classes/java/util/logging/ConsoleHandler.class}S[o.A...KW..jk.....jy...K.b.R.mH|.......2.K....h...G..,..K...s..r......7....d.u....C...y3..j*..2...1..!wx..2T:.T...b.^..`.D[...0....n.cXy#C..e...=.E.....]..%L..<x.....W........z..u.s..a.e..Zq..-.E@n.!..)....F...\.E...<...[.;W..t.i%.mT".w.x..(.m,...r.....tZ..vPepFI_...D..b..0.U...S;....XP.@..C.#Cq..}aNy_..ZG...q#m<;..g2b.]"..Y.....[7."+..#"wOtb..-..."..@..(.>Y0......C.h...?.~..8A.Mp.....N....Z$ .E...."o.E.uz3;..m.P.z.....7...?.'.q>...2mN.gLv...q1..[}..@~..M.....K..sS.....PK....0w........PK.........n/Q............,...classes/ja

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\una_front\java.management.jmod

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Java jmod module version 1.0
                                                                Category:dropped
                                                                Size (bytes):896846
                                                                Entropy (8bit):7.923431656723031
                                                                Encrypted:false
                                                                SSDEEP:12288:3xz+ej0yUGnip25kAyyrAm0G4hcpbLIWFWb4YNlgWUz4u5cnLXlAVz/Q+9Ec8zCU:3cZpcryy8mp4hpSxWUQuV//yDXX
                                                                MD5:C6FBB7D49CAA027010C2A817D80CA77C
                                                                SHA1:4191E275E1154271ABF1E54E85A4FF94F59E7223
                                                                SHA-256:1C8D9EFAEB087AA474AD8416C3C2E0E415B311D43BCCA3B67CBF729065065F09
                                                                SHA-512:FDDC31FA97AF16470EA2F93E3EF206FFB217E4ED8A5C379D69C512652987E345CB977DB84EDA233B190181C6E6E65C173062A93DB3E6BB9EE7E71472C9BBFE34
                                                                Malicious:false
                                                                Preview:JM..PK.........n/Q................classes/module-info.class.S.N.A.=-.............^PQP4F..|..]{.........S|...(cu/..i.d.z...[....'.M|`.M.GrI.).1.4...8...V.b.EE.Rg...zV.K......Os.W.S?.e.GY.Q`.od..d..Zf....2>.B.29.D.3L7...M&....8.;..2...}..n..n.g...S. ?..._V..Q..9mBo0L..~dD.t.c.ric..2r5qLvr..V....Sm..I}.}.a..Od$2e..M.v.m..w....L..s.C.;...#.f..Ln.......5..9.2....5......P......M.$V.|;...'mw.Vl.2....D..1%.l.a..o...O....!.......h...9V.L.x..?..n]/.6......iVe..{.4.K..s.[....y..|2....3,`.a.....H69.a.;09.5K.C....a_.G.`Jm...ER......9I.D.n...Wp........%..WI...tf..pg5..SN.8y..Y'.:9....U.pq.....}.]X..aE....^t..x.l...^....m.#.......a."r.l.2..Lf).y.^.h..u....PK....N.i.......PK.........n/Q............0...classes/com/sun/jmx/defaults/JmxProperties.class.UMS#U.=.aH.4.4.....J2...h..6v.L2q.......tS.)F........\.....Y..h2...*...{.......w..8Ha.....p.C.c..C;..^+S...F.0..xNt....J5.$.b.og..9l.g....Q..k......"..I....b....-..^.n..<x..4.$pY.(..,\~.F..0...Z<`X[...(p...u^.

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\utest.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):639224
                                                                Entropy (8bit):6.219852228773659
                                                                Encrypted:false
                                                                SSDEEP:12288:FgLcjQQPKZZK8aF4yBj3Fnx4DMDO8jalo:FggjQKuyDnxvOYaC
                                                                MD5:01DACEA3CBE5F2557D0816FC64FAE363
                                                                SHA1:566064A9CB1E33DB10681189A45B105CDD504FD4
                                                                SHA-256:B4C96B1E5EEE34871D9AB43BCEE8096089742032C0669DF3C9234941AAC3D502
                                                                SHA-512:C22BFE54894C26C0BD8A99848B33E1B9A9859B3C0C893CB6039F9486562C98AA4CEAB0D28C98C1038BD62160E03961A255B6F8627A7B2BB51B86CC7D6CBA9151
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*...D..D..D.....D.1J...D...@..D...G..D...A..D...E..D..E..D...E..D..E.O.D...A..D...D..D......D.....D...F..D.Rich..D.........PE..d.....-a.........." ...............................................................E..... .....................................................,.......@....p..xK..................`...T.......................(.......................(............................text............................... ..`.rdata..H=.......>..................@..@.data....H... ...@..................@....pdata..xK...p...L...J..............@..@.rsrc...@...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):98224
                                                                Entropy (8bit):6.452201564717313
                                                                Encrypted:false
                                                                SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\vcruntime140_1.dll

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):37256
                                                                Entropy (8bit):6.297533243519742
                                                                Encrypted:false
                                                                SSDEEP:384:5hnvMCmWEKhUcSLt5a9k6KrOE5fY/ntz5txWE6Wc+Xf0+uncS7IO5WrCKWU/tQ0g:YCm5KhUcwrHY/ntTxT6ov07b4SwY1zl
                                                                MD5:135359D350F72AD4BF716B764D39E749
                                                                SHA1:2E59D9BBCCE356F0FECE56C9C4917A5CACEC63D7
                                                                SHA-256:34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32
                                                                SHA-512:CF23513D63AB2192C78CAE98BD3FEA67D933212B630BE111FA7E03BE3E92AF38E247EB2D3804437FD0FDA70FDC87916CD24CF1D3911E9F3BFB2CC4AB72B459BA
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>..RK...>..RK...>..RK2..>..RK...>..Rich.>..........................PE..d...)|.a.........." .....:...6......`A....................................................`A.........................................l.......m..x....................n...#......<...(b..T............................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P...$...>..............@..@.data... ............b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Roaming\Microsoft\Installer\{5A278211-3D84-49CA-AC02-C993B0AB8CAA}\icon_22.exe

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:MS Windows icon resource - 7 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                Category:dropped
                                                                Size (bytes):372526
                                                                Entropy (8bit):4.467275942115759
                                                                Encrypted:false
                                                                SSDEEP:3072:aAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzCIhZ:LCANx6xPZX9mBW
                                                                MD5:B52B2D1D4C9E56CA24AB0CD0730CC5AD
                                                                SHA1:C70A3683DF57DE3096CA58F314C0B649035392CC
                                                                SHA-256:73CDA59B9158F5DCA967A6EC24A3608C672DCA63F714BFD7B7B5F81C1303F457
                                                                SHA-512:CDCAB1C415B87948AD45C967D6C50EA24935D7E58CFC30717E2943D9CE9F5DDEFCB5E60BCE58F9F387635EA30E1A0399DBA644316CC53F1802BAE73B76CB1BFA
                                                                Malicious:false
                                                                Preview:............ .( ..v......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .....>......... .h......(............. ...... ............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\679f38.msi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EF350A28-9BA8-4F85-B94C-53D911CB898F}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 20 19:52:49 2024, Last Saved Time/Date: Fri Dec 20 19:52:49 2024, Last Printed: Fri Dec 20 19:52:49 2024, Number of Pages: 450
                                                                Category:dropped
                                                                Size (bytes):60325376
                                                                Entropy (8bit):7.202290189811352
                                                                Encrypted:false
                                                                SSDEEP:786432:YWZojVmrjV7eIAtehOTZQoZ4sdUuzt/NCaY2ksC:YW8VmrjV7eIvhOTZlRjVCa1t
                                                                MD5:D874E0A9455815E7A46ABF2DF7F74896
                                                                SHA1:D2C0D8370B340D37B8EB0E9C06DDD0C05BE7450B
                                                                SHA-256:14C34F0134E24FF3E0761B97081E9CDD70725F16686F8C3B0BEB28328BEA795F
                                                                SHA-512:6F6451711D61863E1298804828EAD4FC5619AB4565F015D4B871ED3774434751D9868F349186DD4123C5080EE49D6B4E3B2EC6E80A2E363BAA20D3B996EC4740
                                                                Malicious:false
                                                                Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                C:\Windows\Installer\679f3b.msi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EF350A28-9BA8-4F85-B94C-53D911CB898F}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 20 19:52:49 2024, Last Saved Time/Date: Fri Dec 20 19:52:49 2024, Last Printed: Fri Dec 20 19:52:49 2024, Number of Pages: 450
                                                                Category:dropped
                                                                Size (bytes):60325376
                                                                Entropy (8bit):7.202290189811352
                                                                Encrypted:false
                                                                SSDEEP:786432:YWZojVmrjV7eIAtehOTZQoZ4sdUuzt/NCaY2ksC:YW8VmrjV7eIvhOTZlRjVCa1t
                                                                MD5:D874E0A9455815E7A46ABF2DF7F74896
                                                                SHA1:D2C0D8370B340D37B8EB0E9C06DDD0C05BE7450B
                                                                SHA-256:14C34F0134E24FF3E0761B97081E9CDD70725F16686F8C3B0BEB28328BEA795F
                                                                SHA-512:6F6451711D61863E1298804828EAD4FC5619AB4565F015D4B871ED3774434751D9868F349186DD4123C5080EE49D6B4E3B2EC6E80A2E363BAA20D3B996EC4740
                                                                Malicious:false
                                                                Preview:......................>............................................2..................................................................x...............................................................................................................................................%...&...'...(...)...*...................................................Z"..."..E#..F#..G#..H#..I#..J#..K#..L#..M#..N#..O#..P#..Q#..R#..S#..T#..U#...+...+...,...,...,...,...,...,...,..-0...0../0..00...2...2...2...2...2...2...2...2..............d...........................8...............B................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-...7.../...0...1...2...3...4...5...6.......9...M...:...;...<...=...>...?...@...A...D...C...J...E...F...G...H...I...N...K...L...e...O...""..P...Q...R...S...T...U...V...W...X...("..Z...[...\...]...^..._...`...a...b...c.......~...f...g...h...i...j...k...l...m...n...o...p...q...r.......t...u...v...w...x...y...z...

                                                                C:\Windows\Installer\MSIA8FC.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIA99A.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIA9D9.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIAA19.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIAA87.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1201504
                                                                Entropy (8bit):6.4557937684843365
                                                                Encrypted:false
                                                                SSDEEP:24576:W4FsQxRqkY1ngOktwC2Tec+4VGWSlnH/YrjPWeTIUGVUrHtAkJMsFUh29BKjxw:D2QxNwCsec+4VGWSlnfYvO3UGVUrHtAg
                                                                MD5:E83D774F643972B8ECCDB3A34DA135C5
                                                                SHA1:A58ECCFB12D723C3460563C5191D604DEF235D15
                                                                SHA-256:D0A6F6373CFB902FCD95BC12360A9E949F5597B72C01E0BD328F9B1E2080B5B7
                                                                SHA-512:CB5FF0E66827E6A1FA27ABDD322987906CFDB3CDB49248EFEE04D51FEE65E93B5D964FF78095866E197448358A9DE9EC7F45D4158C0913CBF0DBD849883A6E90
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............@G..@G..@G.yCF..@G.yEF..@G.|CF..@G.|DF..@G.|EF..@G.yDF..@G.yAF..@G..AG..@G.}IF..@G.}@F..@G.}.G..@G...G..@G.}BF..@GRich..@G........PE..L...'.$g.........."!...).~..........Pq.......................................`......0.....@A........................ ...t...............................`=.......l......p........................... ...@...............L............................text...J}.......~.................. ..`.rdata...;.......<..................@..@.data...............................@....fptable............................@....rsrc...............................@..@.reloc...l.......n..................@..B........................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIAAB7.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIAAE7.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):1021792
                                                                Entropy (8bit):6.608727172078022
                                                                Encrypted:false
                                                                SSDEEP:24576:2Nmq6KGDx4JYKcP/+h0lhSMXl+GGXo8Wea/xwuX:Ymq6KGk/cHrOGGY8Wea/xwuX
                                                                MD5:EE09D6A1BB908B42C05FD0BEEB67DFD2
                                                                SHA1:1EB7C1304B7BCA649C2A5902B18A1EA57CEAA532
                                                                SHA-256:7BBF611F5E2A16439DC8CD11936F6364F6D5CC0044545C92775DA5646AFC7752
                                                                SHA-512:2DD2E4E66D2F2277F031C5F3C829A31C3B29196AB27262C6A8F1896A2113A1BE1687C9E8CD9667B89157F099DFB969EF14AE3EA602D4C772E960BC41D39C3D05
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......ia.p-..#-..#-..#].."!..#].."...#=..":..#=.."<..#=.."b..#].."7..#]..",..#].."...#-..#...#e.."T..#e..",..#e..#,..#-.g#,..#e..",..#Rich-..#........................PE..L.....$g.........."!...).....`...... ........ ...........................................@A............................L...,...@....................Z..`=......\....K..p....................L...... K..@............ ...............................text............................... ..`.rdata....... ......................@..@.data....(..........................@....fptable............................@....rsrc...............................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSIC805.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):380520
                                                                Entropy (8bit):6.512348002260683
                                                                Encrypted:false
                                                                SSDEEP:6144:ZSXJmYiFGLzkhEFeCPGi5B8dZ6t+6bUSfcqKgAST:ZSXJ9khElPGvcttbxpAST
                                                                MD5:FFDAACB43C074A8CB9A608C612D7540B
                                                                SHA1:8F054A7F77853DE365A7763D93933660E6E1A890
                                                                SHA-256:7484797EA4480BC71509FA28B16E607F82323E05C44F59FFA65DB3826ED1B388
                                                                SHA-512:A9BD31377F7A6ECF75B1D90648847CB83D8BD65AD0B408C4F8DE6EB50764EEF1402E7ACDFF375B7C3B07AC9F94184BD399A10A22418DB474908B5E7A1ADFE263
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........^..?{..?{..?{..x..?{..~..?{...x..?{......?{...~..?{.....?{..z..?{..?z..>{..r..?{..{..?{....?{..?.?{..y..?{.Rich.?{.........PE..L...>.$g.........."!...)..................... .......................................'....@A........................@3..X....3.......... ...............h:.......6..@...p...............................@............ ..(............................text...J........................... ..`.rdata...$... ...&..................@..@.data....!...P......................@....fptable.............@..............@....rsrc... ............B..............@..@.reloc...6.......8...\..............@..B........................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\MSID41C.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):393109
                                                                Entropy (8bit):4.73641097545014
                                                                Encrypted:false
                                                                SSDEEP:3072:o/9SAVWno2eoqXRy8QGSi6H0NOJe6ay1lrnyoeFM8UuPLZoELS/8taek6KYrOzzz:o/9DCANx6xPZX9mB+
                                                                MD5:E7D99CC9B130408194423C43852B66DD
                                                                SHA1:3B806B0960ECB3FC89F9BD67E47C7466BF0C8361
                                                                SHA-256:E7347F8D0CA4153BA49ABA888C3483428FDC30D086EFA6D96DD6B32D8CC9F228
                                                                SHA-512:40969ED1230856794BA45D87713F8C8F6ADBD31F8DA753819D43BF4E5E07A52E20C428CDEABD1774F1B2E6C91806C98D15BD8ED959E84578EB3AE45213FA5B7B
                                                                Malicious:false
                                                                Preview:...@IXOS.@.....@.Y.@.....@.....@.....@.....@.....@......&.{5A278211-3D84-49CA-AC02-C993B0AB8CAA}..App x installer..Setup.msi.@.....@.....@.....@......icon_22.exe..&.{EF350A28-9BA8-4F85-B94C-53D911CB898F}.....@.....@.....@.....@.......@.....@.....@.......@......App x installer......Rollback..Rolling back action:....RollbackCleanup..Removing backup files..File: [1]...@.......@........ProcessComponents..Updating component registration...@4....@.....@.]....&.{F39C344E-A83E-4760-8DA8-F27602095B4F}C.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\.@.......@.....@.....@......&.{BC83E781-7DE2-47A8-97C3-2E6CC9BCAD82}8.21:\Software\Coors Q Corporation\App x installer\Version.@.......@.....@.....@......&.{D582EE7E-FCB6-40BB-88DF-D87561F6DACA}N.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvacore.dll.@.......@.....@.....@......&.{44552115-2BAF-4203-B6FB-1E9405F63E37}U.C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\dvaunittesting.dll.@.

                                                                C:\Windows\Installer\MSID42C.tmp

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                Category:dropped
                                                                Size (bytes):787808
                                                                Entropy (8bit):6.693392695195763
                                                                Encrypted:false
                                                                SSDEEP:24576:aE33f8zyjmfyY43pNRmkL7mh0lhSMXlEeGXDMGz+:L3fSyjmfyY43pNRp7T0eGwGz+
                                                                MD5:8CF47242B5DF6A7F6D2D7AF9CC3A7921
                                                                SHA1:B51595A8A113CF889B0D1DD4B04DF16B3E18F318
                                                                SHA-256:CCB57BDBB19E1AEB2C8DD3845CDC53880C1979284E7B26A1D8AE73BBEAF25474
                                                                SHA-512:748C4767D258BFA6AD2664AA05EF7DC16F2D204FAE40530430EF5D1F38C8F61F074C6EC6501489053195B6B6F6E02D29FDE970D74C6AE97649D8FE1FD342A288
                                                                Malicious:false
                                                                Antivirus:
                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............m..m..m.'n..m.'h.q.m.'i..m.."i..m.."n..m.."h..m.'l..m..l..m.#d..m.#m..m.#...m.....m.#o..m.Rich.m.........PE..L.....$g.........."!...).....4............................................... ............@A........................@J.......J..........................`=......4`...~..p........................... ~..@............................................text............................... ..`.rdata..Z...........................@..@.data...D-...`.......B..............@....fptable.............^..............@....rsrc................`..............@..@.reloc..4`.......b...f..............@..B........................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\SourceHash{5A278211-3D84-49CA-AC02-C993B0AB8CAA}

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.1620501462339616
                                                                Encrypted:false
                                                                SSDEEP:12:JSbX72FjqAGiLIlHVRpMh/7777777777777777777777777vDHFTUnArp3Xl0i8Q:JkQI5c9h6F
                                                                MD5:8E421734312C3A94FC25BD053CBDCDBC
                                                                SHA1:AE811E6AF082203A26437B111C0B33CE71ACC007
                                                                SHA-256:22E1755FECDE3AB8061CE01FB1A13AAB6EBD244480C313E6EC3CF9F3207176EF
                                                                SHA-512:D098969331D4DEF20C9C1465E453E88DFDA9FC13FACB5120DD458CCA19B56CD20BA17BDE627F8CDBDDF3681255497A2C9730962E0333C89D8E16D66662F8931A
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5817812156259112
                                                                Encrypted:false
                                                                SSDEEP:48:a8PhuuRc06WXOCFT5IpjeFmMoAECiCyVSCvokX2ySCOTR:lhu1UFT+8ECeZXjk
                                                                MD5:2826EF39793D379DB86CA50DA0A1A002
                                                                SHA1:A9ED2ADC21B9B2B6FC623AAB9E9F7819ED2158A0
                                                                SHA-256:C44E14BC2E13050013885A3AF5C54754FCD68839002909AC57887E81A7305C06
                                                                SHA-512:00A233816584D54703BCC718B8320784779F81F6F4CAA02D29020364BEF2A2033EF4DAF66A4F41A45312BF8484295EBA3BD1F6764B0692FCF60F8CDDAA756D73
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):432221
                                                                Entropy (8bit):5.375184604487685
                                                                Encrypted:false
                                                                SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgauj:zTtbmkExhMJCIpEru
                                                                MD5:808B7492B652E70D2D08347E964DFE02
                                                                SHA1:B2204AA7377998AD7B900642E1F7967DDC1FAC31
                                                                SHA-256:8E15C6AF78F9AA2824AA875FC4C39041589F5AC2586E3B36BCF987E37F3E1982
                                                                SHA-512:8810B7B92DA60E1D6AD915108AEC49B8204CE95EB78221144C465464A565D86FB277974E3FB75A7B7843696C8A583F5E0B341FDD0DCA6CF2300F349394F0A209
                                                                Malicious:false
                                                                Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                C:\Windows\Temp\~DF02757029210FB1F7.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.2675831570404854
                                                                Encrypted:false
                                                                SSDEEP:48:WgmmuaPvcFXOTT5CpjeFmMoAECiCyVSCvokX2ySCOTR:UmAOTo8ECeZXjk
                                                                MD5:637DE173DEEB2A341CE174313DC82628
                                                                SHA1:CE5FC596C717F6FE1374AD199927062BDC90046C
                                                                SHA-256:3F2C340292BDC3D0635BB5FAECBCD3FE3FEB0BB4811EB2A2B4EB6F1AD9688918
                                                                SHA-512:7DE259039E2AD3DF0B541DCDAD6FF61444FADD42137D9D79DF3DB1807467728E2534A384FC3F2D8B6841D06997BB6F05341B321AC6B1A63FD1A8B45F1C061A1F
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF117C1B8610E47CF4.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF2BD0B1E793F1A313.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):73728
                                                                Entropy (8bit):0.1444609706203122
                                                                Encrypted:false
                                                                SSDEEP:24:jGtFPTxkrMvxipVkrMvvkrMvbMoAEVkryjCyH1ipVkrMvIV2BwGCr80j+BEpu:j4TeySCTmMoAECiCyVSCvokXjeEp
                                                                MD5:825BDB06624DB1D51A9A5D10C799637F
                                                                SHA1:6295F98B0BEFCC85FFE950BC594930757137DDB2
                                                                SHA-256:7C4DEE60014D4895241130AC06C836C316AE032D4240010575823DBE7B478987
                                                                SHA-512:EA5CF67894EFFC1ED068534640DC24FDE35FE3960009623DE4271B3F4B176C9B3B107002E40312762A494A7CA9D6BEBB1445DC5EF9EC67A9DEE92397EC27556D
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF3D802DBB8D3824C4.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5817812156259112
                                                                Encrypted:false
                                                                SSDEEP:48:a8PhuuRc06WXOCFT5IpjeFmMoAECiCyVSCvokX2ySCOTR:lhu1UFT+8ECeZXjk
                                                                MD5:2826EF39793D379DB86CA50DA0A1A002
                                                                SHA1:A9ED2ADC21B9B2B6FC623AAB9E9F7819ED2158A0
                                                                SHA-256:C44E14BC2E13050013885A3AF5C54754FCD68839002909AC57887E81A7305C06
                                                                SHA-512:00A233816584D54703BCC718B8320784779F81F6F4CAA02D29020364BEF2A2033EF4DAF66A4F41A45312BF8484295EBA3BD1F6764B0692FCF60F8CDDAA756D73
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF440DB9EB38FED472.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF860F592AC072C090.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF89CE8104F39376A0.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.2675831570404854
                                                                Encrypted:false
                                                                SSDEEP:48:WgmmuaPvcFXOTT5CpjeFmMoAECiCyVSCvokX2ySCOTR:UmAOTo8ECeZXjk
                                                                MD5:637DE173DEEB2A341CE174313DC82628
                                                                SHA1:CE5FC596C717F6FE1374AD199927062BDC90046C
                                                                SHA-256:3F2C340292BDC3D0635BB5FAECBCD3FE3FEB0BB4811EB2A2B4EB6F1AD9688918
                                                                SHA-512:7DE259039E2AD3DF0B541DCDAD6FF61444FADD42137D9D79DF3DB1807467728E2534A384FC3F2D8B6841D06997BB6F05341B321AC6B1A63FD1A8B45F1C061A1F
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DF99430912DAD97CDC.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):20480
                                                                Entropy (8bit):1.5817812156259112
                                                                Encrypted:false
                                                                SSDEEP:48:a8PhuuRc06WXOCFT5IpjeFmMoAECiCyVSCvokX2ySCOTR:lhu1UFT+8ECeZXjk
                                                                MD5:2826EF39793D379DB86CA50DA0A1A002
                                                                SHA1:A9ED2ADC21B9B2B6FC623AAB9E9F7819ED2158A0
                                                                SHA-256:C44E14BC2E13050013885A3AF5C54754FCD68839002909AC57887E81A7305C06
                                                                SHA-512:00A233816584D54703BCC718B8320784779F81F6F4CAA02D29020364BEF2A2033EF4DAF66A4F41A45312BF8484295EBA3BD1F6764B0692FCF60F8CDDAA756D73
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFAABB0551687FEEC4.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFAD2DF298BE39B72F.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):512
                                                                Entropy (8bit):0.0
                                                                Encrypted:false
                                                                SSDEEP:3::
                                                                MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                Malicious:false
                                                                Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFE4F7F05408F066DD.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):1.2675831570404854
                                                                Encrypted:false
                                                                SSDEEP:48:WgmmuaPvcFXOTT5CpjeFmMoAECiCyVSCvokX2ySCOTR:UmAOTo8ECeZXjk
                                                                MD5:637DE173DEEB2A341CE174313DC82628
                                                                SHA1:CE5FC596C717F6FE1374AD199927062BDC90046C
                                                                SHA-256:3F2C340292BDC3D0635BB5FAECBCD3FE3FEB0BB4811EB2A2B4EB6F1AD9688918
                                                                SHA-512:7DE259039E2AD3DF0B541DCDAD6FF61444FADD42137D9D79DF3DB1807467728E2534A384FC3F2D8B6841D06997BB6F05341B321AC6B1A63FD1A8B45F1C061A1F
                                                                Malicious:false
                                                                Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Windows\Temp\~DFF546E145391CFB66.TMP

                                                                Download File
                                                                Process:C:\Windows\System32\msiexec.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):32768
                                                                Entropy (8bit):0.06902869483447095
                                                                Encrypted:false
                                                                SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOUhkUClPkUVkyVky6l3X:2F0i8n0itFzDHFTUnAW3X
                                                                MD5:FD6A651D88FC12D5F65B8C37A7D757F7
                                                                SHA1:6BB2E796967D1631CA25A2BAD1632DF23F297E66
                                                                SHA-256:916E542D521D092537049175AFDE1E92D5F7764726A4FC6BA53C69E3C121B595
                                                                SHA-512:DA9A8991A69000366500F17AE5DC17BE87C3471095160A21D8B17A863B1A3D830FBACB0FD36F65EFCF5C230C6F9DCD905F4B872521F461DD8B4BCE4C89515339
                                                                Malicious:false
                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                \Device\ConDrv

                                                                Download File
                                                                Process:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):638
                                                                Entropy (8bit):4.751962275036146
                                                                Encrypted:false
                                                                SSDEEP:12:ku/L92WF4gx9l+jsPczo/CdaD0gwiSrlEX6OPkRVdoaQLeU4wv:ku/h5F4Bs0oCdalwisCkRVKVeU4wv
                                                                MD5:15CA959638E74EEC47E0830B90D0696E
                                                                SHA1:E836936738DCB6C551B6B76054F834CFB8CC53E5
                                                                SHA-256:57F2C730C98D62D6C84B693294F6191FD2BEC7D7563AD9963A96AE87ABEBF9EE
                                                                SHA-512:101390C5D2FA93162804B589376CF1E4A1A3DD4BDF4B6FE26D807AFC3FF80DA26EE3BAEB731D297A482165DE7CA48508D6EAA69A5509168E9CEF20B4A88A49FD
                                                                Malicious:false
                                                                Preview:[createdump] createdump [options] pid..-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values:.. %p PID of dumped process... %e The process executable filename... %h Hostname return by gethostname()... %t Time of dump, expressed as seconds since the Epoch, 1970-01-01 00:00:00 +0000 (UTC)...-n, --normal - create minidump...-h, --withheap - create minidump with heap (default)...-t, --triage - create triage minidump...-u, --full - create full core dump...-d, --diag - enable diagnostic messages...-v, --verbose - enable verbose diagnostic messages...

                                                                Static File Info

                                                                General

                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {EF350A28-9BA8-4F85-B94C-53D911CB898F}, Number of Words: 10, Subject: App x installer, Author: Coors Q Corporation, Name of Creating Application: App x installer, Template: x64;2057, Comments: This installer database contains the logic and data required to install App x installer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Fri Dec 20 19:52:49 2024, Last Saved Time/Date: Fri Dec 20 19:52:49 2024, Last Printed: Fri Dec 20 19:52:49 2024, Number of Pages: 450
                                                                Entropy (8bit):7.202290189811352
                                                                TrID:
                                                                • Windows SDK Setup Transform Script (63028/2) 88.73%
                                                                • Generic OLE2 / Multistream Compound File (8008/1) 11.27%
                                                                File name:Setup.msi
                                                                File size:60'325'376 bytes
                                                                MD5:d874e0a9455815e7a46abf2df7f74896
                                                                SHA1:d2c0d8370b340d37b8eb0e9c06ddd0c05be7450b
                                                                SHA256:14c34f0134e24ff3e0761b97081e9cdd70725f16686f8c3b0beb28328bea795f
                                                                SHA512:6f6451711d61863e1298804828ead4fc5619ab4565f015d4b871ed3774434751d9868f349186dd4123c5080ee49d6b4e3b2ec6e80a2e363baa20d3b996ec4740
                                                                SSDEEP:786432:YWZojVmrjV7eIAtehOTZQoZ4sdUuzt/NCaY2ksC:YW8VmrjV7eIvhOTZlRjVCa1t
                                                                TLSH:EAD76C01B3FA4148F2F75EB17EBA45A594BABD521B30C0EF1204A60E1B71BC25BB5763
                                                                File Content Preview:........................>............................................2..................................................................x......................................................................................................................

                                                                File Icon

                                                                Icon Hash:2d2e3797b32b2b99

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2024-12-20T22:47:26.903254+01002829202ETPRO MALWARE MSIL/Zbrain PUP/Stealer Installer UA1192.168.2.449730172.67.164.25443TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 20, 2024 22:47:25.596086979 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:25.596210957 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:25.596314907 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:25.600826025 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:25.600866079 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:26.829013109 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:26.829099894 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:26.872533083 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:26.872585058 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:26.872805119 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:26.872874975 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:26.902946949 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:26.903191090 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:26.903228998 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:27.620193005 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:27.620251894 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:27.620255947 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:27.620327950 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:27.620995045 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:27.621042013 CET44349730172.67.164.25192.168.2.4
                                                                Dec 20, 2024 22:47:27.621068954 CET49730443192.168.2.4172.67.164.25
                                                                Dec 20, 2024 22:47:27.621118069 CET49730443192.168.2.4172.67.164.25

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Dec 20, 2024 22:47:25.367734909 CET5460553192.168.2.41.1.1.1
                                                                Dec 20, 2024 22:47:25.590244055 CET53546051.1.1.1192.168.2.4

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Dec 20, 2024 22:47:25.367734909 CET192.168.2.41.1.1.10xb8f4Standard query (0)cubermo.comA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Dec 20, 2024 22:47:25.590244055 CET1.1.1.1192.168.2.40xb8f4No error (0)cubermo.com172.67.164.25A (IP address)IN (0x0001)false
                                                                Dec 20, 2024 22:47:25.590244055 CET1.1.1.1192.168.2.40xb8f4No error (0)cubermo.com104.21.65.145A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • cubermo.com

                                                                HTTPS Proxied Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.449730172.67.164.254437128C:\Windows\SysWOW64\msiexec.exe
                                                                TimestampBytes transferredDirectionData
                                                                2024-12-20 21:47:26 UTC189OUTPOST /updater.php HTTP/1.1
                                                                Content-Type: application/x-www-form-urlencoded; charset=utf-8
                                                                User-Agent: AdvancedInstaller
                                                                Host: cubermo.com
                                                                Content-Length: 71
                                                                Cache-Control: no-cache
                                                                2024-12-20 21:47:26 UTC71OUTData Raw: 44 61 74 65 3d 32 30 25 32 46 31 32 25 32 46 32 30 32 34 26 54 69 6d 65 3d 31 36 25 33 41 34 37 25 33 41 32 34 26 42 75 69 6c 64 56 65 72 73 69 6f 6e 3d 38 2e 39 2e 39 26 53 6f 72 6f 71 56 69 6e 73 3d 54 72 75 65
                                                                Data Ascii: Date=20%2F12%2F2024&Time=16%3A47%3A24&BuildVersion=8.9.9&SoroqVins=True
                                                                2024-12-20 21:47:27 UTC827INHTTP/1.1 500 Internal Server Error
                                                                Date: Fri, 20 Dec 2024 21:47:27 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                Cache-Control: no-store
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RP5cCQVCZydmxYHjqsMFMHWUejbKgZvqjGPxdV3A5wREqYlFs8SG8bbJs8Vu6%2BgUPcyCiK3M2D1dYIliM8URtBf5FtZIkr9l4IJxhct%2B0hDK0is6B88MIN9SPYxegQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 8f52d4b66fc941cd-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1623&min_rtt=1615&rtt_var=621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2826&recv_bytes=920&delivery_rate=1739130&cwnd=227&unsent_bytes=0&cid=264dfaf228e3ebef&ts=804&x=0"
                                                                2024-12-20 21:47:27 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                Data Ascii: 0


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:16:47:13
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Setup.msi"
                                                                Imagebase:0x7ff6cdff0000
                                                                File size:69'632 bytes
                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:1
                                                                Start time:16:47:13
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\System32\msiexec.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\msiexec.exe /V
                                                                Imagebase:0x7ff6cdff0000
                                                                File size:69'632 bytes
                                                                MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:2
                                                                Start time:16:47:16
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\SysWOW64\msiexec.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 3D12795788B3B48CFEE010738CCB41BA
                                                                Imagebase:0x600000
                                                                File size:59'904 bytes
                                                                MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:3
                                                                Start time:16:47:27
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):true
                                                                Commandline: -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\user\AppData\Local\Temp\pssD4D2.ps1" -propFile "C:\Users\user\AppData\Local\Temp\msiD4BF.txt" -scriptFile "C:\Users\user\AppData\Local\Temp\scrD4C0.ps1" -scriptArgsFile "C:\Users\user\AppData\Local\Temp\scrD4C1.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
                                                                Imagebase:0x620000
                                                                File size:433'152 bytes
                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:16:47:27
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:8
                                                                Start time:16:47:34
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\suriqk.bat" "C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe""
                                                                Imagebase:0x7ff7aa3e0000
                                                                File size:289'792 bytes
                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:9
                                                                Start time:16:47:34
                                                                Start date:20/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\createdump.exe"
                                                                Imagebase:0x7ff6596b0000
                                                                File size:57'488 bytes
                                                                MD5 hash:71F796B486C7FAF25B9B16233A7CE0CD
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:10
                                                                Start time:16:47:34
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:11
                                                                Start time:16:47:34
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff7699e0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:12
                                                                Start time:16:47:34
                                                                Start date:20/12/2024
                                                                Path:C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\AppData\Roaming\Coors Q Corporation\App x installer\ImporterREDServer.exe"
                                                                Imagebase:0x140000000
                                                                File size:117'496 bytes
                                                                MD5 hash:F67792E08586EA936EBCAE43AAB0388D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Antivirus matches:
                                                                • Detection: 0%, ReversingLabs
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:13
                                                                Start time:16:47:34
                                                                Start date:20/12/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff72bec0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Executed Functions

                                                                  Function 07AC1B50 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1859393136.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_7ac0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $kq$$kq$$kq
                                                                  • API String ID: 0-2086306503
                                                                  • Opcode ID: ecca86f57bfcefc4c303ab9247b04a4a8dd259e3e215495c277a9bff62f7482b
                                                                  • Instruction ID: 0c71b28a741921e52a7465b5fb28d55e5ed8e249430e3e94e5e572f6dcd6de6e
                                                                  • Opcode Fuzzy Hash: ecca86f57bfcefc4c303ab9247b04a4a8dd259e3e215495c277a9bff62f7482b
                                                                  • Instruction Fuzzy Hash: 4E6135F170820DAFDB25DF69D8506AA7BF2AFC5210F14846EE425CB292DB35DC41CB91
                                                                  Function 07AC1B34 Relevance: 2.6, Strings: 2, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1859393136.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_7ac0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: $kq$$kq
                                                                  • API String ID: 0-3550614674
                                                                  • Opcode ID: 72ab9157c622893de7a1920e171ed7373a293c4409f439bacc71c48d05920650
                                                                  • Instruction ID: 20514dfa7a1cf1076e54fbab84f99c914334a80ebac7bd99382f335a6f287027
                                                                  • Opcode Fuzzy Hash: 72ab9157c622893de7a1920e171ed7373a293c4409f439bacc71c48d05920650
                                                                  • Instruction Fuzzy Hash: F241A2F070934EEFCB25CF25C5846A67BF5AF81220F1481AEE8248B157D738C946CB91
                                                                  Function 04FD3A78 Relevance: .4, Instructions: 378COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d222f1eaa1706fdabbdf8be7c32241c6fc9ed57bfaf18cc11a9e70b1fab110b0
                                                                  • Instruction ID: 2364f6d08ccc665c74f3765162cf5ec3fa6313b005bb403d21da235da4b595e4
                                                                  • Opcode Fuzzy Hash: d222f1eaa1706fdabbdf8be7c32241c6fc9ed57bfaf18cc11a9e70b1fab110b0
                                                                  • Instruction Fuzzy Hash: 98E100B0A052448FC715CF6CC4909AABBF2FF89300B1985AAD945DB3A5D734FC46CB92
                                                                  Function 04FD8460 Relevance: .3, Instructions: 266COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0c2c5da29d92255ba13d36db8acc9a1440297b4dccd79479ba0a8157d9164f16
                                                                  • Instruction ID: 876165554597fce0213aa80dd268f70953ba0ff6b5285b69423320909a69d0b1
                                                                  • Opcode Fuzzy Hash: 0c2c5da29d92255ba13d36db8acc9a1440297b4dccd79479ba0a8157d9164f16
                                                                  • Instruction Fuzzy Hash: 63A17031E002089FDB14EFA5D944A9DBBB3FF84394F158568D816AB365DB34BD4ACB40
                                                                  Function 04FD8BB0 Relevance: .2, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 151f2cd91c729cfc3eae9e2fefc7c7a61d0f5237636ebe2efc3cc5925673775d
                                                                  • Instruction ID: 13e8c71cc196e01520c9a865667d29e2bfa919407e195179a5cdb4be3d2295e1
                                                                  • Opcode Fuzzy Hash: 151f2cd91c729cfc3eae9e2fefc7c7a61d0f5237636ebe2efc3cc5925673775d
                                                                  • Instruction Fuzzy Hash: 8B71E030A00249CFCB14DF68D894A9EFBF6FF85304F288469E416DB661DB75AC46CB50
                                                                  Function 04FD8D1E Relevance: .2, Instructions: 188COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: d4cc683a209580168224bcb5baa9813673c52a10c3c74d2b7d477dbe9207c705
                                                                  • Instruction ID: ddbbca16d19337f22856c59840913821f0f4934db9d7c090299219867386c464
                                                                  • Opcode Fuzzy Hash: d4cc683a209580168224bcb5baa9813673c52a10c3c74d2b7d477dbe9207c705
                                                                  • Instruction Fuzzy Hash: A2713B70E00249DFDB14EFA4D494AADBBF6FF84344F298429D412AB2A5DF34AC46CB51
                                                                  Function 04FD8941 Relevance: .1, Instructions: 123COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 7011e3820d4e9b62f0e5737f914713ce2833700501568c94caad8f50b4a4c190
                                                                  • Instruction ID: b03b78772c9aa46e37865f71e5b0f89e7a33bb0bda4f5f55bca4a09ff7822e64
                                                                  • Opcode Fuzzy Hash: 7011e3820d4e9b62f0e5737f914713ce2833700501568c94caad8f50b4a4c190
                                                                  • Instruction Fuzzy Hash: F541C271A003049FEB15EF24D955AADBBB7EF89794F084068D512EB3A4CF34AC42CB90
                                                                  Function 04FD8B9B Relevance: .1, Instructions: 117COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: bff9d4593390babd28e82e0e94d16e7e7bb7e11138c628e1805cb81d4ee1976a
                                                                  • Instruction ID: 4a360d3cedbee08a87d4f0b7f77f8802faa2f4b42e306969d609663be0596fca
                                                                  • Opcode Fuzzy Hash: bff9d4593390babd28e82e0e94d16e7e7bb7e11138c628e1805cb81d4ee1976a
                                                                  • Instruction Fuzzy Hash: 3E41AF70A00249DFDB14EFA9D8946ADBBF2FF85344F188469D016AB790DF74AC46CB90
                                                                  Function 04FD3D08 Relevance: .1, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e506647ab787223967d3e65361d18b2bab80f4ab5632d145432ec6048ddd32f5
                                                                  • Instruction ID: ce7a554b04812e9dd3c5d445c1e331ef58089c3f6336a8e34d752f5498e16478
                                                                  • Opcode Fuzzy Hash: e506647ab787223967d3e65361d18b2bab80f4ab5632d145432ec6048ddd32f5
                                                                  • Instruction Fuzzy Hash: 43413CB4A001099FCB05CF59C594AAEFBB2FF48310B158559D915AB3A4C736FC51CFA1
                                                                  Function 04F2D01D Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855076088.0000000004F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F2D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4f2d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2e38980262133163bb9b85685a72262b7a46d1d0d1c0be662872839c89b9d904
                                                                  • Instruction ID: a08ac25d12b599e1c175f8e053783cd45f6f6b08e896e4752f85dcb69eaa3ab8
                                                                  • Opcode Fuzzy Hash: 2e38980262133163bb9b85685a72262b7a46d1d0d1c0be662872839c89b9d904
                                                                  • Instruction Fuzzy Hash: 93012B315083109AE710CF25DEC4767BF98DF45324F18C429ED484B15AC279E842CAB1
                                                                  Function 04F2D005 Relevance: .0, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855076088.0000000004F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F2D000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4f2d000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b4cfe22c61bc069bf03d024b123bbde0755318d7080c983ae3bbd9158748ac2a
                                                                  • Instruction ID: c76b7b7870e75fe3b8f02f50c1279c5de3b9c99312207766b05062accf91b3bb
                                                                  • Opcode Fuzzy Hash: b4cfe22c61bc069bf03d024b123bbde0755318d7080c983ae3bbd9158748ac2a
                                                                  • Instruction Fuzzy Hash: 00015E6140E3D09EE7128B259994B52BFB4EF43224F1DC4DBD9888F1A7C2699849CB72
                                                                  Function 04FD88D5 Relevance: .0, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 0db7f769cf8a5eb0d0bce191aefe6da961ddba497ebdc7eacbf0f01189e96e5b
                                                                  • Instruction ID: faf28ca683ccb5b2418b012cdba03665ff729957f778355ca18fb7c25a575b9f
                                                                  • Opcode Fuzzy Hash: 0db7f769cf8a5eb0d0bce191aefe6da961ddba497ebdc7eacbf0f01189e96e5b
                                                                  • Instruction Fuzzy Hash: 9AF03774B403058FDB04EBA4C565B6E77B2EF41384F104524D5019F368DB78AD498BC0

                                                                  Non-executed Functions

                                                                  Function 04FD32A0 Relevance: .3, Instructions: 304COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1855224455.0000000004FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FD0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_4fd0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 330887999ea8f76a32a1c05d6579476afc7f75dd90203ac7c29f02bdd2fcd326
                                                                  • Instruction ID: 21d0c784181256c0847d2f20a2857599f606d7f39cef121bb8bfecdba2458e72
                                                                  • Opcode Fuzzy Hash: 330887999ea8f76a32a1c05d6579476afc7f75dd90203ac7c29f02bdd2fcd326
                                                                  • Instruction Fuzzy Hash: BCB1C9307003018FD715DF24D580B6A7BA3AFC9704F544499D9468F7AADB36E943DB52
                                                                  Function 07AC1658 Relevance: 15.3, Strings: 12, Instructions: 263COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1859393136.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_7ac0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 84Yk$84Yk$tPkq$tPkq$tPkq$tPkq$$kq$$kq$$kq$$kq$Qk$Qk
                                                                  • API String ID: 0-128379737
                                                                  • Opcode ID: a75b7d05b3c8a0618ad25a2e5de740e2c1ce45a2788d6299942c83d615ec9031
                                                                  • Instruction ID: d5422fb734c97f8e2d767de0d8b73860f60073e91dde4c8b62fcbbd4702b5666
                                                                  • Opcode Fuzzy Hash: a75b7d05b3c8a0618ad25a2e5de740e2c1ce45a2788d6299942c83d615ec9031
                                                                  • Instruction Fuzzy Hash: 00814CF1704349AFD725DB69D8106AABBE6AFC5211F18806FD464CB393CA35DC41CBA2
                                                                  Function 07AC0898 Relevance: 10.2, Strings: 8, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1859393136.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_7ac0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'kq$4'kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                  • API String ID: 0-3137036682
                                                                  • Opcode ID: 3b9c86e3595f3ec07cabf73ac81d2aed8e837c7655c26e09aa54b91ac33ee115
                                                                  • Instruction ID: 349d680042c68121f718fb40fea30bad2a0bca414135f3233a2a4aba674092ea
                                                                  • Opcode Fuzzy Hash: 3b9c86e3595f3ec07cabf73ac81d2aed8e837c7655c26e09aa54b91ac33ee115
                                                                  • Instruction Fuzzy Hash: FD5138B5704346EFDB35CB299C002ABBBB6AFC2210F2884AFE465C7251DA35C945C7A1
                                                                  Function 07AC0E88 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1859393136.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_7ac0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4Xk$4Xk$$kq$$kq$$kq
                                                                  • API String ID: 0-235402572
                                                                  • Opcode ID: 75fcbb6ab10e9d7194e15cd0d7ff0b400032df9ddf36d1160410203bba21762c
                                                                  • Instruction ID: 8a2be7815c18c45dfc9f821bb09f4d5dbf63eeb9b632c0df1598b0515d0cef1c
                                                                  • Opcode Fuzzy Hash: 75fcbb6ab10e9d7194e15cd0d7ff0b400032df9ddf36d1160410203bba21762c
                                                                  • Instruction Fuzzy Hash: E61108B231421AEBD634D7299C2067776DE4BD1610B14843ED511CA2D5DE3AD88183B1
                                                                  Function 07AC04D0 Relevance: 5.1, Strings: 4, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000003.00000002.1859393136.0000000007AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AC0000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_3_2_7ac0000_powershell.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: 4'kq$4'kq$$kq$$kq
                                                                  • API String ID: 0-1727931526
                                                                  • Opcode ID: 95fb7965cc60ccf4db585d6f83079eb24b48ababc1b932a4627b07cfc223e641
                                                                  • Instruction ID: d154e97dac3859d9f4aaaa296119e5464cdedfbc73d35be32a93c7475650869d
                                                                  • Opcode Fuzzy Hash: 95fb7965cc60ccf4db585d6f83079eb24b48ababc1b932a4627b07cfc223e641
                                                                  • Instruction Fuzzy Hash: 0101D67160A39D9FD72693281C201A36FF25FC355073A419BC191DB2E3CC6A8C0683A2

                                                                  Execution Graph

                                                                  Execution Coverage:3.4%
                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                  Signature Coverage:1.7%
                                                                  Total number of Nodes:700
                                                                  Total number of Limit Nodes:1
                                                                  execution_graph 2502 7ff6596b7130 2503 7ff6596b7168 __GSHandlerCheckCommon 2502->2503 2504 7ff6596b7194 2503->2504 2506 7ff6596b3c00 2503->2506 2515 7ff6596b43d0 2506->2515 2508 7ff6596b3c42 2509 7ff6596b43d0 ExFilterRethrow 10 API calls 2508->2509 2510 7ff6596b3c4f 2509->2510 2511 7ff6596b43d0 ExFilterRethrow 10 API calls 2510->2511 2512 7ff6596b3c58 __GSHandlerCheck_EH 2511->2512 2518 7ff6596b5414 2512->2518 2534 7ff6596b43ec 2515->2534 2517 7ff6596b43d9 2517->2508 2519 7ff6596b5443 __except_validate_context_record 2518->2519 2520 7ff6596b43d0 ExFilterRethrow 10 API calls 2519->2520 2522 7ff6596b5448 2520->2522 2521 7ff6596b5498 2523 7ff6596b3ca9 2521->2523 2524 7ff6596b559f 2521->2524 2532 7ff6596b54f3 __GSHandlerCheck_EH 2521->2532 2522->2521 2522->2523 2526 7ff6596b55b2 __GSHandlerCheck_EH 2522->2526 2523->2504 2576 7ff6596b3678 2524->2576 2525 7ff6596b55f7 2525->2523 2583 7ff6596b49a4 2525->2583 2526->2523 2526->2525 2580 7ff6596b3bbc 2526->2580 2529 7ff6596b56a2 abort 2531 7ff6596b5543 2552 7ff6596b5cf0 2531->2552 2532->2529 2532->2531 2535 7ff6596b4404 2534->2535 2536 7ff6596b440b GetLastError 2534->2536 2535->2517 2548 7ff6596b6678 2536->2548 2549 7ff6596b6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2548->2549 2550 7ff6596b669f TlsGetValue 2549->2550 2636 7ff6596b3ba8 2552->2636 2554 7ff6596b5d40 __GSHandlerCheck_EH 2555 7ff6596b5d72 2554->2555 2556 7ff6596b5d5b 2554->2556 2557 7ff6596b43d0 ExFilterRethrow 10 API calls 2555->2557 2558 7ff6596b43d0 ExFilterRethrow 10 API calls 2556->2558 2559 7ff6596b5d77 2557->2559 2560 7ff6596b5d60 2558->2560 2562 7ff6596b5d6a 2559->2562 2563 7ff6596b43d0 ExFilterRethrow 10 API calls 2559->2563 2561 7ff6596b5fd0 abort 2560->2561 2560->2562 2564 7ff6596b43d0 ExFilterRethrow 10 API calls 2562->2564 2565 7ff6596b5d82 2563->2565 2574 7ff6596b5d96 __GSHandlerCheck_EH 2564->2574 2566 7ff6596b43d0 ExFilterRethrow 10 API calls 2565->2566 2566->2562 2567 7ff6596b5f92 2568 7ff6596b43d0 ExFilterRethrow 10 API calls 2567->2568 2569 7ff6596b5f97 2568->2569 2570 7ff6596b5fa2 2569->2570 2571 7ff6596b43d0 ExFilterRethrow 10 API calls 2569->2571 2572 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2570->2572 2571->2570 2573 7ff6596b5fb5 2572->2573 2573->2523 2574->2567 2639 7ff6596b3bd0 2574->2639 2577 7ff6596b368a 2576->2577 2578 7ff6596b5cf0 __GSHandlerCheck_EH 19 API calls 2577->2578 2579 7ff6596b36a5 2578->2579 2579->2523 2581 7ff6596b43d0 ExFilterRethrow 10 API calls 2580->2581 2582 7ff6596b3bc5 2581->2582 2582->2525 2584 7ff6596b4a01 __GSHandlerCheck_EH 2583->2584 2585 7ff6596b4a20 2584->2585 2586 7ff6596b4a09 2584->2586 2588 7ff6596b43d0 ExFilterRethrow 10 API calls 2585->2588 2587 7ff6596b43d0 ExFilterRethrow 10 API calls 2586->2587 2594 7ff6596b4a0e 2587->2594 2589 7ff6596b4a25 2588->2589 2591 7ff6596b43d0 ExFilterRethrow 10 API calls 2589->2591 2589->2594 2590 7ff6596b4e99 abort 2592 7ff6596b4a30 2591->2592 2593 7ff6596b43d0 ExFilterRethrow 10 API calls 2592->2593 2593->2594 2594->2590 2596 7ff6596b4b54 __GSHandlerCheck_EH 2594->2596 2598 7ff6596b43d0 ExFilterRethrow 10 API calls 2594->2598 2595 7ff6596b4def 2595->2590 2597 7ff6596b4ded 2595->2597 2678 7ff6596b4ea0 2595->2678 2596->2595 2630 7ff6596b4b90 __GSHandlerCheck_EH 2596->2630 2599 7ff6596b43d0 ExFilterRethrow 10 API calls 2597->2599 2600 7ff6596b4ac0 2598->2600 2603 7ff6596b4e30 2599->2603 2601 7ff6596b4e37 2600->2601 2605 7ff6596b43d0 ExFilterRethrow 10 API calls 2600->2605 2606 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2601->2606 2603->2590 2603->2601 2604 7ff6596b4dd4 __GSHandlerCheck_EH 2604->2597 2610 7ff6596b4e81 2604->2610 2607 7ff6596b4ad0 2605->2607 2608 7ff6596b4e43 2606->2608 2609 7ff6596b43d0 ExFilterRethrow 10 API calls 2607->2609 2608->2523 2611 7ff6596b4ad9 2609->2611 2612 7ff6596b43d0 ExFilterRethrow 10 API calls 2610->2612 2642 7ff6596b3be8 2611->2642 2614 7ff6596b4e86 2612->2614 2616 7ff6596b43d0 ExFilterRethrow 10 API calls 2614->2616 2617 7ff6596b4e8f terminate 2616->2617 2617->2590 2618 7ff6596b43d0 ExFilterRethrow 10 API calls 2619 7ff6596b4b16 2618->2619 2619->2596 2620 7ff6596b43d0 ExFilterRethrow 10 API calls 2619->2620 2622 7ff6596b4b22 2620->2622 2621 7ff6596b3bbc 10 API calls BuildCatchObjectHelperInternal 2621->2630 2623 7ff6596b43d0 ExFilterRethrow 10 API calls 2622->2623 2624 7ff6596b4b2b 2623->2624 2645 7ff6596b5fd8 2624->2645 2628 7ff6596b4b3f 2652 7ff6596b60c8 2628->2652 2630->2604 2630->2621 2656 7ff6596b52d0 2630->2656 2670 7ff6596b48d0 2630->2670 2631 7ff6596b4e7b terminate 2631->2610 2633 7ff6596b4b47 std::bad_alloc::bad_alloc __GSHandlerCheck_EH 2633->2631 2634 7ff6596b3f84 std::_Xinvalid_argument 2 API calls 2633->2634 2635 7ff6596b4e7a 2634->2635 2635->2631 2637 7ff6596b43d0 ExFilterRethrow 10 API calls 2636->2637 2638 7ff6596b3bb1 2637->2638 2638->2554 2640 7ff6596b43d0 ExFilterRethrow 10 API calls 2639->2640 2641 7ff6596b3bde 2640->2641 2641->2574 2643 7ff6596b43d0 ExFilterRethrow 10 API calls 2642->2643 2644 7ff6596b3bf6 2643->2644 2644->2590 2644->2618 2646 7ff6596b60bf abort 2645->2646 2649 7ff6596b6003 2645->2649 2647 7ff6596b4b3b 2647->2596 2647->2628 2648 7ff6596b3bbc 10 API calls BuildCatchObjectHelperInternal 2648->2649 2649->2647 2649->2648 2650 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2649->2650 2694 7ff6596b5190 2649->2694 2650->2649 2653 7ff6596b6135 2652->2653 2654 7ff6596b60e5 Is_bad_exception_allowed 2652->2654 2653->2633 2654->2653 2655 7ff6596b3ba8 10 API calls Is_bad_exception_allowed 2654->2655 2655->2654 2657 7ff6596b52fd 2656->2657 2668 7ff6596b538d 2656->2668 2658 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2657->2658 2659 7ff6596b5306 2658->2659 2660 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2659->2660 2661 7ff6596b531f 2659->2661 2659->2668 2660->2661 2662 7ff6596b534c 2661->2662 2663 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2661->2663 2661->2668 2664 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2662->2664 2663->2662 2665 7ff6596b5360 2664->2665 2666 7ff6596b5379 2665->2666 2667 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2665->2667 2665->2668 2669 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2666->2669 2667->2666 2668->2630 2669->2668 2671 7ff6596b490d __GSHandlerCheck_EH 2670->2671 2672 7ff6596b4933 2671->2672 2708 7ff6596b480c 2671->2708 2673 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2672->2673 2675 7ff6596b4945 2673->2675 2717 7ff6596b3838 RtlUnwindEx 2675->2717 2679 7ff6596b4ef4 2678->2679 2680 7ff6596b5169 2678->2680 2681 7ff6596b43d0 ExFilterRethrow 10 API calls 2679->2681 2682 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2680->2682 2683 7ff6596b4ef9 2681->2683 2684 7ff6596b5175 2682->2684 2685 7ff6596b4f0e EncodePointer 2683->2685 2687 7ff6596b4f60 __GSHandlerCheck_EH 2683->2687 2684->2597 2686 7ff6596b43d0 ExFilterRethrow 10 API calls 2685->2686 2689 7ff6596b4f1e 2686->2689 2687->2680 2688 7ff6596b5189 abort 2687->2688 2693 7ff6596b4f82 __GSHandlerCheck_EH 2687->2693 2689->2687 2741 7ff6596b34f8 2689->2741 2691 7ff6596b3ba8 10 API calls Is_bad_exception_allowed 2691->2693 2692 7ff6596b48d0 __GSHandlerCheck_EH 21 API calls 2692->2693 2693->2680 2693->2691 2693->2692 2695 7ff6596b524c 2694->2695 2696 7ff6596b51bd 2694->2696 2695->2649 2697 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2696->2697 2698 7ff6596b51c6 2697->2698 2698->2695 2699 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2698->2699 2700 7ff6596b51df 2698->2700 2699->2700 2700->2695 2701 7ff6596b520b 2700->2701 2702 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2700->2702 2703 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2701->2703 2702->2701 2704 7ff6596b521f 2703->2704 2704->2695 2705 7ff6596b5238 2704->2705 2706 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2704->2706 2707 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2705->2707 2706->2705 2707->2695 2709 7ff6596b482f 2708->2709 2720 7ff6596b4608 2709->2720 2711 7ff6596b4840 2712 7ff6596b4881 __AdjustPointer 2711->2712 2713 7ff6596b4845 __AdjustPointer 2711->2713 2714 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2712->2714 2716 7ff6596b4864 BuildCatchObjectHelperInternal 2712->2716 2715 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2713->2715 2713->2716 2714->2716 2715->2716 2716->2672 2718 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2717->2718 2719 7ff6596b394e 2718->2719 2719->2630 2721 7ff6596b4635 2720->2721 2723 7ff6596b463e 2720->2723 2722 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2721->2722 2722->2723 2724 7ff6596b3ba8 Is_bad_exception_allowed 10 API calls 2723->2724 2725 7ff6596b465d 2723->2725 2732 7ff6596b46c2 __AdjustPointer BuildCatchObjectHelperInternal 2723->2732 2724->2725 2726 7ff6596b46aa 2725->2726 2727 7ff6596b46ca 2725->2727 2725->2732 2729 7ff6596b47e9 abort abort 2726->2729 2726->2732 2728 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2727->2728 2730 7ff6596b474a 2727->2730 2727->2732 2728->2730 2731 7ff6596b480c 2729->2731 2730->2732 2734 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2730->2734 2733 7ff6596b4608 BuildCatchObjectHelperInternal 10 API calls 2731->2733 2732->2711 2735 7ff6596b4840 2733->2735 2734->2732 2736 7ff6596b4881 __AdjustPointer 2735->2736 2737 7ff6596b4845 __AdjustPointer 2735->2737 2738 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2736->2738 2740 7ff6596b4864 BuildCatchObjectHelperInternal 2736->2740 2739 7ff6596b3bbc BuildCatchObjectHelperInternal 10 API calls 2737->2739 2737->2740 2738->2740 2739->2740 2740->2711 2742 7ff6596b43d0 ExFilterRethrow 10 API calls 2741->2742 2743 7ff6596b3524 2742->2743 2743->2687 2744 7ff6596b43b0 2745 7ff6596b43b9 2744->2745 2746 7ff6596b43ca 2744->2746 2745->2746 2747 7ff6596b43c5 free 2745->2747 2747->2746 2748 7ff6596b1630 2751 7ff6596b3d50 2748->2751 2752 7ff6596b3d5f free 2751->2752 2753 7ff6596b164c 2751->2753 2752->2753 2968 7ff6596b2970 2971 7ff6596b2da0 2968->2971 2972 7ff6596b2dc3 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2971->2972 2973 7ff6596b2979 2971->2973 2972->2973 2974 7ff6596b756f 2975 7ff6596b43d0 ExFilterRethrow 10 API calls 2974->2975 2976 7ff6596b757d 2975->2976 2977 7ff6596b7588 2976->2977 2978 7ff6596b43d0 ExFilterRethrow 10 API calls 2976->2978 2978->2977 2979 7ff6596b5f75 2987 7ff6596b5e35 __GSHandlerCheck_EH 2979->2987 2980 7ff6596b5f92 2981 7ff6596b43d0 ExFilterRethrow 10 API calls 2980->2981 2982 7ff6596b5f97 2981->2982 2983 7ff6596b5fa2 2982->2983 2984 7ff6596b43d0 ExFilterRethrow 10 API calls 2982->2984 2985 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2983->2985 2984->2983 2986 7ff6596b5fb5 2985->2986 2987->2980 2988 7ff6596b3bd0 __GSHandlerCheck_EH 10 API calls 2987->2988 2988->2987 2989 7ff6596b7372 2990 7ff6596b43d0 ExFilterRethrow 10 API calls 2989->2990 2991 7ff6596b7389 2990->2991 2992 7ff6596b43d0 ExFilterRethrow 10 API calls 2991->2992 2993 7ff6596b73a4 2992->2993 2994 7ff6596b43d0 ExFilterRethrow 10 API calls 2993->2994 2995 7ff6596b73ad 2994->2995 2996 7ff6596b5414 __GSHandlerCheck_EH 31 API calls 2995->2996 2997 7ff6596b73f3 2996->2997 2998 7ff6596b43d0 ExFilterRethrow 10 API calls 2997->2998 2999 7ff6596b73f8 2998->2999 2754 7ff6596b74a7 2757 7ff6596b5cc0 2754->2757 2762 7ff6596b5c38 2757->2762 2760 7ff6596b43d0 ExFilterRethrow 10 API calls 2761 7ff6596b5ce0 2760->2761 2763 7ff6596b5ca3 2762->2763 2764 7ff6596b5c5a 2762->2764 2763->2760 2763->2761 2764->2763 2765 7ff6596b43d0 ExFilterRethrow 10 API calls 2764->2765 2765->2763 2256 7ff6596b27ec 2279 7ff6596b2b8c 2256->2279 2259 7ff6596b2943 2319 7ff6596b2ecc IsProcessorFeaturePresent 2259->2319 2260 7ff6596b280d 2262 7ff6596b294d 2260->2262 2265 7ff6596b282b __scrt_release_startup_lock 2260->2265 2263 7ff6596b2ecc 7 API calls 2262->2263 2264 7ff6596b2958 2263->2264 2267 7ff6596b2960 _exit 2264->2267 2266 7ff6596b2850 2265->2266 2268 7ff6596b28d6 _get_initial_narrow_environment __p___argv __p___argc 2265->2268 2271 7ff6596b28ce _register_thread_local_exe_atexit_callback 2265->2271 2285 7ff6596b1060 2268->2285 2271->2268 2274 7ff6596b2903 2275 7ff6596b2908 _cexit 2274->2275 2276 7ff6596b290d 2274->2276 2275->2276 2315 7ff6596b2d20 2276->2315 2326 7ff6596b316c 2279->2326 2282 7ff6596b2bbb __scrt_initialize_crt 2284 7ff6596b2805 2282->2284 2328 7ff6596b404c 2282->2328 2284->2259 2284->2260 2286 7ff6596b1386 2285->2286 2305 7ff6596b10b4 2285->2305 2355 7ff6596b1450 __acrt_iob_func 2286->2355 2288 7ff6596b1399 2313 7ff6596b3020 GetModuleHandleW 2288->2313 2289 7ff6596b1289 2289->2286 2290 7ff6596b129f 2289->2290 2360 7ff6596b2688 2290->2360 2292 7ff6596b12a9 2294 7ff6596b12b9 GetTempPathA 2292->2294 2295 7ff6596b1325 2292->2295 2293 7ff6596b1125 strcmp 2293->2305 2296 7ff6596b12e9 strcat_s 2294->2296 2297 7ff6596b12cb GetLastError 2294->2297 2369 7ff6596b23c0 2295->2369 2296->2295 2301 7ff6596b1304 2296->2301 2300 7ff6596b1450 6 API calls 2297->2300 2298 7ff6596b1151 strcmp 2298->2305 2306 7ff6596b12df GetLastError 2300->2306 2307 7ff6596b1450 6 API calls 2301->2307 2303 7ff6596b1344 __acrt_iob_func fflush __acrt_iob_func fflush 2310 7ff6596b1312 2303->2310 2304 7ff6596b117d strcmp 2304->2305 2305->2289 2305->2293 2305->2298 2305->2304 2311 7ff6596b1226 strcmp 2305->2311 2306->2310 2307->2310 2310->2288 2311->2305 2312 7ff6596b1239 atoi 2311->2312 2312->2305 2314 7ff6596b28ff 2313->2314 2314->2264 2314->2274 2316 7ff6596b2d31 __scrt_initialize_crt 2315->2316 2317 7ff6596b2916 2316->2317 2318 7ff6596b404c __scrt_initialize_crt 7 API calls 2316->2318 2317->2266 2318->2317 2320 7ff6596b2ef2 2319->2320 2321 7ff6596b2f11 RtlCaptureContext RtlLookupFunctionEntry 2320->2321 2322 7ff6596b2f76 2321->2322 2323 7ff6596b2f3a RtlVirtualUnwind 2321->2323 2324 7ff6596b2fa8 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 2322->2324 2323->2322 2325 7ff6596b2ffa 2324->2325 2325->2262 2327 7ff6596b2bae __scrt_dllmain_crt_thread_attach 2326->2327 2327->2282 2327->2284 2329 7ff6596b405e 2328->2329 2330 7ff6596b4054 2328->2330 2329->2284 2334 7ff6596b44f4 2330->2334 2335 7ff6596b4503 2334->2335 2337 7ff6596b4059 2334->2337 2342 7ff6596b6630 2335->2342 2338 7ff6596b6460 2337->2338 2339 7ff6596b648b 2338->2339 2340 7ff6596b646e DeleteCriticalSection 2339->2340 2341 7ff6596b648f 2339->2341 2340->2339 2341->2329 2346 7ff6596b6498 2342->2346 2347 7ff6596b65b2 TlsFree 2346->2347 2353 7ff6596b64dc 2346->2353 2348 7ff6596b650a LoadLibraryExW 2350 7ff6596b6581 2348->2350 2351 7ff6596b652b GetLastError 2348->2351 2349 7ff6596b65a1 GetProcAddress 2349->2347 2350->2349 2352 7ff6596b6598 FreeLibrary 2350->2352 2351->2353 2352->2349 2353->2347 2353->2348 2353->2349 2354 7ff6596b654d LoadLibraryExW 2353->2354 2354->2350 2354->2353 2405 7ff6596b1010 2355->2405 2357 7ff6596b148a __acrt_iob_func 2408 7ff6596b1000 2357->2408 2359 7ff6596b14a2 __stdio_common_vfprintf __acrt_iob_func fflush 2359->2288 2363 7ff6596b2690 2360->2363 2361 7ff6596b26aa malloc 2362 7ff6596b26b4 2361->2362 2361->2363 2362->2292 2363->2361 2364 7ff6596b26ba 2363->2364 2365 7ff6596b26c5 2364->2365 2410 7ff6596b2b30 2364->2410 2414 7ff6596b1720 2365->2414 2368 7ff6596b26cb 2368->2292 2370 7ff6596b2688 5 API calls 2369->2370 2371 7ff6596b23f5 OpenProcess 2370->2371 2372 7ff6596b2458 K32GetModuleBaseNameA 2371->2372 2373 7ff6596b243b GetLastError 2371->2373 2375 7ff6596b2470 GetLastError 2372->2375 2376 7ff6596b2492 2372->2376 2374 7ff6596b1450 6 API calls 2373->2374 2384 7ff6596b2453 2374->2384 2377 7ff6596b1450 6 API calls 2375->2377 2431 7ff6596b1800 2376->2431 2379 7ff6596b2484 CloseHandle 2377->2379 2379->2384 2381 7ff6596b24ae 2385 7ff6596b13c0 6 API calls 2381->2385 2382 7ff6596b25b3 CloseHandle 2382->2384 2383 7ff6596b25fa 2442 7ff6596b2660 2383->2442 2384->2383 2387 7ff6596b25f3 _invalid_parameter_noinfo_noreturn 2384->2387 2386 7ff6596b24cf CreateFileA 2385->2386 2388 7ff6596b250f GetLastError 2386->2388 2389 7ff6596b2543 2386->2389 2387->2383 2392 7ff6596b1450 6 API calls 2388->2392 2393 7ff6596b2550 MiniDumpWriteDump 2389->2393 2396 7ff6596b258a CloseHandle CloseHandle 2389->2396 2394 7ff6596b2538 CloseHandle 2392->2394 2395 7ff6596b2576 GetLastError 2393->2395 2393->2396 2394->2384 2395->2389 2398 7ff6596b258c 2395->2398 2396->2384 2399 7ff6596b1450 6 API calls 2398->2399 2399->2396 2400 7ff6596b13c0 __acrt_iob_func 2401 7ff6596b1010 fprintf __stdio_common_vfprintf 2400->2401 2402 7ff6596b13fa __acrt_iob_func 2401->2402 2501 7ff6596b1000 2402->2501 2404 7ff6596b1412 __stdio_common_vfprintf __acrt_iob_func fflush 2404->2303 2409 7ff6596b1000 2405->2409 2407 7ff6596b1036 __stdio_common_vfprintf 2407->2357 2408->2359 2409->2407 2411 7ff6596b2b3e std::bad_alloc::bad_alloc 2410->2411 2420 7ff6596b3f84 2411->2420 2413 7ff6596b2b4f 2415 7ff6596b172e Concurrency::cancel_current_task 2414->2415 2416 7ff6596b3f84 std::_Xinvalid_argument 2 API calls 2415->2416 2417 7ff6596b173f 2416->2417 2425 7ff6596b3cc0 2417->2425 2421 7ff6596b3fc0 RtlPcToFileHeader 2420->2421 2422 7ff6596b3fa3 2420->2422 2423 7ff6596b3fd8 2421->2423 2424 7ff6596b3fe7 RaiseException 2421->2424 2422->2421 2423->2424 2424->2413 2426 7ff6596b3ce1 2425->2426 2427 7ff6596b176d 2425->2427 2426->2427 2428 7ff6596b3cf6 malloc 2426->2428 2427->2368 2429 7ff6596b3d23 free 2428->2429 2430 7ff6596b3d07 2428->2430 2429->2427 2430->2429 2432 7ff6596b1850 2431->2432 2433 7ff6596b1863 WSAStartup 2431->2433 2434 7ff6596b1450 6 API calls 2432->2434 2435 7ff6596b185c 2433->2435 2440 7ff6596b187f 2433->2440 2434->2435 2436 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2435->2436 2438 7ff6596b1d87 2436->2438 2437 7ff6596b1dd0 2439 7ff6596b1450 6 API calls 2437->2439 2438->2381 2438->2382 2439->2435 2440->2435 2440->2437 2451 7ff6596b20c0 2440->2451 2445 7ff6596b2669 2442->2445 2443 7ff6596b29c0 IsProcessorFeaturePresent 2446 7ff6596b29d8 2443->2446 2444 7ff6596b1334 2444->2303 2444->2400 2445->2443 2445->2444 2496 7ff6596b2a94 RtlCaptureContext 2446->2496 2452 7ff6596b2218 2451->2452 2453 7ff6596b20e9 2451->2453 2475 7ff6596b17e0 2452->2475 2455 7ff6596b2144 2453->2455 2457 7ff6596b2137 2453->2457 2458 7ff6596b216c 2453->2458 2466 7ff6596b2690 2455->2466 2456 7ff6596b221d 2461 7ff6596b1720 Concurrency::cancel_current_task 4 API calls 2456->2461 2457->2455 2457->2456 2460 7ff6596b2155 BuildCatchObjectHelperInternal 2458->2460 2463 7ff6596b2690 5 API calls 2458->2463 2462 7ff6596b21e0 _invalid_parameter_noinfo_noreturn 2460->2462 2465 7ff6596b21d3 BuildCatchObjectHelperInternal 2460->2465 2464 7ff6596b2223 2461->2464 2462->2465 2463->2460 2465->2440 2467 7ff6596b26aa malloc 2466->2467 2468 7ff6596b26b4 2467->2468 2469 7ff6596b269b 2467->2469 2468->2460 2469->2467 2470 7ff6596b26ba 2469->2470 2471 7ff6596b26c5 2470->2471 2472 7ff6596b2b30 Concurrency::cancel_current_task 2 API calls 2470->2472 2473 7ff6596b1720 Concurrency::cancel_current_task 4 API calls 2471->2473 2472->2471 2474 7ff6596b26cb 2473->2474 2474->2460 2488 7ff6596b34d4 2475->2488 2493 7ff6596b33f8 2488->2493 2491 7ff6596b3f84 std::_Xinvalid_argument 2 API calls 2492 7ff6596b34f6 2491->2492 2494 7ff6596b3cc0 __std_exception_copy 2 API calls 2493->2494 2495 7ff6596b342c 2494->2495 2495->2491 2497 7ff6596b2aae RtlLookupFunctionEntry 2496->2497 2498 7ff6596b2ac4 RtlVirtualUnwind 2497->2498 2499 7ff6596b29eb 2497->2499 2498->2497 2498->2499 2500 7ff6596b2984 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 2499->2500 2501->2404 2766 7ff6596b59ad 2767 7ff6596b43d0 ExFilterRethrow 10 API calls 2766->2767 2768 7ff6596b59ba 2767->2768 2769 7ff6596b43d0 ExFilterRethrow 10 API calls 2768->2769 2771 7ff6596b59c3 __GSHandlerCheck_EH 2769->2771 2770 7ff6596b5a0a RaiseException 2772 7ff6596b5a29 2770->2772 2771->2770 2785 7ff6596b3b54 2772->2785 2774 7ff6596b43d0 ExFilterRethrow 10 API calls 2776 7ff6596b5a6d 2774->2776 2777 7ff6596b43d0 ExFilterRethrow 10 API calls 2776->2777 2779 7ff6596b5a76 2777->2779 2781 7ff6596b43d0 ExFilterRethrow 10 API calls 2779->2781 2780 7ff6596b5a5a __GSHandlerCheck_EH 2780->2774 2782 7ff6596b5a7f 2781->2782 2783 7ff6596b43d0 ExFilterRethrow 10 API calls 2782->2783 2784 7ff6596b5a8e 2783->2784 2786 7ff6596b43d0 ExFilterRethrow 10 API calls 2785->2786 2787 7ff6596b3b66 2786->2787 2788 7ff6596b3ba1 abort 2787->2788 2789 7ff6596b43d0 ExFilterRethrow 10 API calls 2787->2789 2790 7ff6596b3b71 2789->2790 2790->2788 2791 7ff6596b3b8d 2790->2791 2792 7ff6596b43d0 ExFilterRethrow 10 API calls 2791->2792 2793 7ff6596b3b92 2792->2793 2793->2780 2794 7ff6596b4104 2793->2794 2795 7ff6596b43d0 ExFilterRethrow 10 API calls 2794->2795 2796 7ff6596b4112 2795->2796 2796->2780 3000 7ff6596b5860 3001 7ff6596b43d0 ExFilterRethrow 10 API calls 3000->3001 3002 7ff6596b58ad 3001->3002 3003 7ff6596b43d0 ExFilterRethrow 10 API calls 3002->3003 3004 7ff6596b58bb __except_validate_context_record 3003->3004 3005 7ff6596b43d0 ExFilterRethrow 10 API calls 3004->3005 3006 7ff6596b5914 3005->3006 3007 7ff6596b43d0 ExFilterRethrow 10 API calls 3006->3007 3008 7ff6596b591d 3007->3008 3009 7ff6596b43d0 ExFilterRethrow 10 API calls 3008->3009 3010 7ff6596b5926 3009->3010 3029 7ff6596b3b18 3010->3029 3013 7ff6596b43d0 ExFilterRethrow 10 API calls 3014 7ff6596b5959 3013->3014 3015 7ff6596b5aa9 abort 3014->3015 3016 7ff6596b5991 3014->3016 3017 7ff6596b3b54 11 API calls 3016->3017 3021 7ff6596b5a31 3017->3021 3018 7ff6596b5a5a __GSHandlerCheck_EH 3019 7ff6596b43d0 ExFilterRethrow 10 API calls 3018->3019 3020 7ff6596b5a6d 3019->3020 3022 7ff6596b43d0 ExFilterRethrow 10 API calls 3020->3022 3021->3018 3023 7ff6596b4104 10 API calls 3021->3023 3024 7ff6596b5a76 3022->3024 3023->3018 3025 7ff6596b43d0 ExFilterRethrow 10 API calls 3024->3025 3026 7ff6596b5a7f 3025->3026 3027 7ff6596b43d0 ExFilterRethrow 10 API calls 3026->3027 3028 7ff6596b5a8e 3027->3028 3030 7ff6596b43d0 ExFilterRethrow 10 API calls 3029->3030 3031 7ff6596b3b29 3030->3031 3032 7ff6596b43d0 ExFilterRethrow 10 API calls 3031->3032 3033 7ff6596b3b34 3031->3033 3032->3033 3034 7ff6596b43d0 ExFilterRethrow 10 API calls 3033->3034 3035 7ff6596b3b45 3034->3035 3035->3013 3035->3014 3036 7ff6596b7260 3037 7ff6596b7280 3036->3037 3038 7ff6596b7273 3036->3038 3039 7ff6596b1e80 _invalid_parameter_noinfo_noreturn 3038->3039 3039->3037 3040 7ff6596b1ce0 3041 7ff6596b2688 5 API calls 3040->3041 3042 7ff6596b1cea gethostname 3041->3042 3043 7ff6596b1d08 3042->3043 3044 7ff6596b1da9 WSAGetLastError 3042->3044 3054 7ff6596b2040 3043->3054 3045 7ff6596b1450 6 API calls 3044->3045 3047 7ff6596b1d76 3045->3047 3048 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 3047->3048 3049 7ff6596b1d87 3048->3049 3050 7ff6596b18a0 3050->3047 3051 7ff6596b1dd0 3050->3051 3053 7ff6596b20c0 21 API calls 3050->3053 3052 7ff6596b1450 6 API calls 3051->3052 3052->3047 3053->3050 3055 7ff6596b20a2 3054->3055 3058 7ff6596b2063 BuildCatchObjectHelperInternal 3054->3058 3056 7ff6596b2230 22 API calls 3055->3056 3057 7ff6596b20b5 3056->3057 3057->3050 3058->3050 3062 7ff6596b195f 3063 7ff6596b196d 3062->3063 3063->3063 3064 7ff6596b1a23 3063->3064 3065 7ff6596b1ee0 22 API calls 3063->3065 3066 7ff6596b2230 22 API calls 3064->3066 3067 7ff6596b1a67 BuildCatchObjectHelperInternal 3064->3067 3065->3064 3066->3067 3068 7ff6596b1da2 _invalid_parameter_noinfo_noreturn 3067->3068 3069 7ff6596b18a0 3067->3069 3070 7ff6596b1da9 WSAGetLastError 3068->3070 3072 7ff6596b1dd0 3069->3072 3074 7ff6596b1d76 3069->3074 3077 7ff6596b20c0 21 API calls 3069->3077 3071 7ff6596b1450 6 API calls 3070->3071 3071->3074 3075 7ff6596b1450 6 API calls 3072->3075 3073 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 3076 7ff6596b1d87 3073->3076 3074->3073 3075->3074 3077->3069 2800 7ff6596b4024 2807 7ff6596b642c 2800->2807 2806 7ff6596b4031 2819 7ff6596b6714 2807->2819 2810 7ff6596b402d 2810->2806 2812 7ff6596b44ac 2810->2812 2811 7ff6596b6460 __vcrt_uninitialize_locks DeleteCriticalSection 2811->2810 2824 7ff6596b65e8 2812->2824 2820 7ff6596b6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2819->2820 2821 7ff6596b674a 2820->2821 2822 7ff6596b675f InitializeCriticalSectionAndSpinCount 2821->2822 2823 7ff6596b6444 2821->2823 2822->2823 2823->2810 2823->2811 2825 7ff6596b6498 __vcrt_InitializeCriticalSectionEx 5 API calls 2824->2825 2826 7ff6596b660d TlsAlloc 2825->2826 2828 7ff6596b1b18 _time64 2829 7ff6596b1b34 2828->2829 2829->2829 2830 7ff6596b1bf1 2829->2830 2844 7ff6596b1ee0 2829->2844 2833 7ff6596b1c34 BuildCatchObjectHelperInternal 2830->2833 2858 7ff6596b2230 2830->2858 2834 7ff6596b1da2 _invalid_parameter_noinfo_noreturn 2833->2834 2835 7ff6596b18a0 2833->2835 2836 7ff6596b1da9 WSAGetLastError 2834->2836 2838 7ff6596b1dd0 2835->2838 2840 7ff6596b1d76 2835->2840 2843 7ff6596b20c0 21 API calls 2835->2843 2837 7ff6596b1450 6 API calls 2836->2837 2837->2840 2841 7ff6596b1450 6 API calls 2838->2841 2839 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2842 7ff6596b1d87 2839->2842 2840->2839 2841->2840 2843->2835 2848 7ff6596b1f25 2844->2848 2857 7ff6596b1f04 BuildCatchObjectHelperInternal 2844->2857 2845 7ff6596b2031 2846 7ff6596b17e0 21 API calls 2845->2846 2847 7ff6596b2036 2846->2847 2852 7ff6596b1720 Concurrency::cancel_current_task 4 API calls 2847->2852 2848->2845 2850 7ff6596b1f74 2848->2850 2851 7ff6596b1fa9 2848->2851 2849 7ff6596b2690 5 API calls 2856 7ff6596b1f92 BuildCatchObjectHelperInternal 2849->2856 2850->2847 2850->2849 2854 7ff6596b2690 5 API calls 2851->2854 2851->2856 2855 7ff6596b203c 2852->2855 2853 7ff6596b202a _invalid_parameter_noinfo_noreturn 2853->2845 2854->2856 2856->2853 2856->2857 2857->2830 2859 7ff6596b225e 2858->2859 2860 7ff6596b23ab 2858->2860 2863 7ff6596b22be 2859->2863 2864 7ff6596b22b1 2859->2864 2865 7ff6596b22e6 2859->2865 2861 7ff6596b17e0 21 API calls 2860->2861 2862 7ff6596b23b0 2861->2862 2867 7ff6596b1720 Concurrency::cancel_current_task 4 API calls 2862->2867 2866 7ff6596b2690 5 API calls 2863->2866 2864->2862 2864->2863 2870 7ff6596b2690 5 API calls 2865->2870 2871 7ff6596b22cf BuildCatchObjectHelperInternal 2865->2871 2866->2871 2868 7ff6596b23b6 2867->2868 2869 7ff6596b2364 _invalid_parameter_noinfo_noreturn 2872 7ff6596b2357 BuildCatchObjectHelperInternal 2869->2872 2870->2871 2871->2869 2871->2872 2872->2833 3078 7ff6596b7559 3081 7ff6596b4158 3078->3081 3082 7ff6596b4170 3081->3082 3083 7ff6596b4182 3081->3083 3082->3083 3084 7ff6596b4178 3082->3084 3085 7ff6596b43d0 ExFilterRethrow 10 API calls 3083->3085 3086 7ff6596b4180 3084->3086 3088 7ff6596b43d0 ExFilterRethrow 10 API calls 3084->3088 3087 7ff6596b4187 3085->3087 3087->3086 3090 7ff6596b43d0 ExFilterRethrow 10 API calls 3087->3090 3089 7ff6596b41a7 3088->3089 3091 7ff6596b43d0 ExFilterRethrow 10 API calls 3089->3091 3090->3086 3092 7ff6596b41b4 terminate 3091->3092 3093 7ff6596b74d6 3094 7ff6596b3b54 11 API calls 3093->3094 3096 7ff6596b74e9 3094->3096 3095 7ff6596b43d0 ExFilterRethrow 10 API calls 3097 7ff6596b752e 3095->3097 3099 7ff6596b4104 10 API calls 3096->3099 3101 7ff6596b751a __GSHandlerCheck_EH 3096->3101 3098 7ff6596b43d0 ExFilterRethrow 10 API calls 3097->3098 3100 7ff6596b753b 3098->3100 3099->3101 3102 7ff6596b43d0 ExFilterRethrow 10 API calls 3100->3102 3101->3095 3103 7ff6596b7548 3102->3103 2873 7ff6596b191a 2874 7ff6596b194d 2873->2874 2876 7ff6596b18a0 2873->2876 2875 7ff6596b20c0 21 API calls 2874->2875 2875->2876 2877 7ff6596b1d76 2876->2877 2878 7ff6596b1dd0 2876->2878 2882 7ff6596b20c0 21 API calls 2876->2882 2879 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 2877->2879 2880 7ff6596b1450 6 API calls 2878->2880 2881 7ff6596b1d87 2879->2881 2880->2877 2882->2876 2883 7ff6596b291a 2884 7ff6596b3020 __scrt_is_managed_app GetModuleHandleW 2883->2884 2885 7ff6596b2921 2884->2885 2886 7ff6596b2960 _exit 2885->2886 2887 7ff6596b2925 2885->2887 3104 7ff6596b1550 3105 7ff6596b3d50 __std_exception_destroy free 3104->3105 3106 7ff6596b1567 3105->3106 2888 7ff6596b1510 2889 7ff6596b3cc0 __std_exception_copy 2 API calls 2888->2889 2890 7ff6596b1539 2889->2890 2894 7ff6596b3090 2895 7ff6596b30c4 2894->2895 2896 7ff6596b30a8 2894->2896 2896->2895 2901 7ff6596b41c0 2896->2901 2900 7ff6596b30e2 2902 7ff6596b43d0 ExFilterRethrow 10 API calls 2901->2902 2903 7ff6596b30d6 2902->2903 2904 7ff6596b41d4 2903->2904 2905 7ff6596b43d0 ExFilterRethrow 10 API calls 2904->2905 2906 7ff6596b41dd 2905->2906 2906->2900 2907 7ff6596b7090 2908 7ff6596b70d2 __GSHandlerCheckCommon 2907->2908 2909 7ff6596b70fa 2908->2909 2911 7ff6596b3d78 2908->2911 2913 7ff6596b3da8 _IsNonwritableInCurrentImage __C_specific_handler __except_validate_context_record 2911->2913 2912 7ff6596b3e99 2912->2909 2913->2912 2914 7ff6596b3e64 RtlUnwindEx 2913->2914 2914->2913 2915 7ff6596b7290 2916 7ff6596b72b0 2915->2916 2917 7ff6596b72a3 2915->2917 2919 7ff6596b1e80 2917->2919 2920 7ff6596b1e93 2919->2920 2922 7ff6596b1eb7 2919->2922 2921 7ff6596b1ed8 _invalid_parameter_noinfo_noreturn 2920->2921 2920->2922 2922->2916 3107 7ff6596b27d0 3111 7ff6596b3074 SetUnhandledExceptionFilter 3107->3111 2929 7ff6596b7411 2930 7ff6596b7495 2929->2930 2931 7ff6596b7429 2929->2931 2931->2930 2932 7ff6596b43d0 ExFilterRethrow 10 API calls 2931->2932 2933 7ff6596b7476 2932->2933 2934 7ff6596b43d0 ExFilterRethrow 10 API calls 2933->2934 2935 7ff6596b748b terminate 2934->2935 2935->2930 3112 7ff6596b48c7 abort 2936 7ff6596b2700 2937 7ff6596b2710 2936->2937 2949 7ff6596b2bd8 2937->2949 2939 7ff6596b2ecc 7 API calls 2940 7ff6596b27b5 2939->2940 2941 7ff6596b2734 _RTC_Initialize 2947 7ff6596b2797 2941->2947 2957 7ff6596b2e64 InitializeSListHead 2941->2957 2947->2939 2948 7ff6596b27a5 2947->2948 2950 7ff6596b2c1b 2949->2950 2951 7ff6596b2be9 2949->2951 2950->2941 2952 7ff6596b2c58 2951->2952 2955 7ff6596b2bee __scrt_release_startup_lock 2951->2955 2953 7ff6596b2ecc 7 API calls 2952->2953 2954 7ff6596b2c62 2953->2954 2955->2950 2956 7ff6596b2c0b _initialize_onexit_table 2955->2956 2956->2950 3120 7ff6596b1d39 3121 7ff6596b1d40 3120->3121 3121->3121 3122 7ff6596b2040 22 API calls 3121->3122 3124 7ff6596b18a0 3121->3124 3122->3124 3123 7ff6596b1d76 3126 7ff6596b2660 __GSHandlerCheck_EH 8 API calls 3123->3126 3124->3123 3125 7ff6596b1dd0 3124->3125 3129 7ff6596b20c0 21 API calls 3124->3129 3127 7ff6596b1450 6 API calls 3125->3127 3128 7ff6596b1d87 3126->3128 3127->3123 3129->3124 3130 7ff6596b733c _seh_filter_exe

                                                                  Executed Functions

                                                                  Function 00007FF6596B1060 Relevance: 65.0, APIs: 13, Strings: 24, Instructions: 214stringCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 0 7ff6596b1060-7ff6596b10ae 1 7ff6596b10b4-7ff6596b10c6 0->1 2 7ff6596b1386-7ff6596b1394 call 7ff6596b1450 0->2 3 7ff6596b10d0-7ff6596b10d6 1->3 7 7ff6596b1399 2->7 5 7ff6596b127f-7ff6596b1283 3->5 6 7ff6596b10dc-7ff6596b10df 3->6 5->3 11 7ff6596b1289-7ff6596b1299 5->11 8 7ff6596b10e1-7ff6596b10e5 6->8 9 7ff6596b10ed 6->9 10 7ff6596b139e-7ff6596b13b7 7->10 8->9 12 7ff6596b10e7-7ff6596b10eb 8->12 13 7ff6596b10f0-7ff6596b10fc 9->13 11->2 14 7ff6596b129f-7ff6596b12b7 call 7ff6596b2688 11->14 12->9 15 7ff6596b1104-7ff6596b110b 12->15 16 7ff6596b1110-7ff6596b1113 13->16 17 7ff6596b10fe-7ff6596b1102 13->17 23 7ff6596b12b9-7ff6596b12c9 GetTempPathA 14->23 24 7ff6596b132a-7ff6596b1336 call 7ff6596b23c0 14->24 20 7ff6596b127b 15->20 21 7ff6596b1125-7ff6596b1136 strcmp 16->21 22 7ff6596b1115-7ff6596b1119 16->22 17->13 17->15 20->5 26 7ff6596b1267-7ff6596b126e 21->26 27 7ff6596b113c-7ff6596b113f 21->27 22->21 25 7ff6596b111b-7ff6596b111f 22->25 28 7ff6596b12e9-7ff6596b1302 strcat_s 23->28 29 7ff6596b12cb-7ff6596b12e7 GetLastError call 7ff6596b1450 GetLastError 23->29 41 7ff6596b1338-7ff6596b1344 call 7ff6596b13c0 24->41 42 7ff6596b1346 24->42 25->21 25->26 30 7ff6596b1276 26->30 31 7ff6596b1151-7ff6596b1162 strcmp 27->31 32 7ff6596b1141-7ff6596b1145 27->32 37 7ff6596b1304-7ff6596b1312 call 7ff6596b1450 28->37 38 7ff6596b1325 28->38 52 7ff6596b1313-7ff6596b1323 call 7ff6596b2680 29->52 30->20 34 7ff6596b1258-7ff6596b1265 31->34 35 7ff6596b1168-7ff6596b116b 31->35 32->31 39 7ff6596b1147-7ff6596b114b 32->39 34->20 43 7ff6596b117d-7ff6596b118e strcmp 35->43 44 7ff6596b116d-7ff6596b1171 35->44 37->52 38->24 39->31 39->34 49 7ff6596b134b-7ff6596b1384 __acrt_iob_func fflush __acrt_iob_func fflush call 7ff6596b2680 41->49 42->49 50 7ff6596b1194-7ff6596b1197 43->50 51 7ff6596b1247-7ff6596b1256 43->51 44->43 48 7ff6596b1173-7ff6596b1177 44->48 48->43 48->51 49->10 56 7ff6596b11a5-7ff6596b11af 50->56 57 7ff6596b1199-7ff6596b119d 50->57 51->30 52->10 61 7ff6596b11b0-7ff6596b11bb 56->61 57->56 60 7ff6596b119f-7ff6596b11a3 57->60 60->56 63 7ff6596b11c3-7ff6596b11d2 60->63 64 7ff6596b11d7-7ff6596b11da 61->64 65 7ff6596b11bd-7ff6596b11c1 61->65 63->30 66 7ff6596b11ec-7ff6596b11f6 64->66 67 7ff6596b11dc-7ff6596b11e0 64->67 65->61 65->63 69 7ff6596b1200-7ff6596b120b 66->69 67->66 68 7ff6596b11e2-7ff6596b11e6 67->68 68->20 68->66 70 7ff6596b1215-7ff6596b1218 69->70 71 7ff6596b120d-7ff6596b1211 69->71 73 7ff6596b1226-7ff6596b1237 strcmp 70->73 74 7ff6596b121a-7ff6596b121e 70->74 71->69 72 7ff6596b1213 71->72 72->20 73->20 76 7ff6596b1239-7ff6596b1245 atoi 73->76 74->73 75 7ff6596b1220-7ff6596b1224 74->75 75->20 75->73 76->20
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: strcmp$ErrorLast__acrt_iob_funcfflush$PathTempatoistrcat_s
                                                                  • String ID: -$-$-$-$-$-$-$--diag$--full$--name$--normal$--triage$--verbose$--withheap$Dump successfully written$GetTempPath failed (0x%08x)$createdump [options] pid-f, --name - dump path and file name. The default is '%TEMP%\dump.%p.dmp'. These specifiers are substituted with following values: %p PID of dumped process. %e The process executable filename. %h Hostname return by gethostn$dump.%p.dmp$full dump$minidump$minidump with heap$strcat_s failed (%d)$triage minidump$v
                                                                  • API String ID: 2647627392-2367407095
                                                                  • Opcode ID: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                  • Instruction ID: 6435aac44fef1f1d697f12a6cd5df8a252776936378f43cef3dc8250abc9a610
                                                                  • Opcode Fuzzy Hash: 3e8843d71ddd811f5735ae345386871f6517bdd5673e2455e3aa9b185965a2cd
                                                                  • Instruction Fuzzy Hash: 11A14062D0C68265FB618F20E5402B967F6EB46758F0D4135EA4EE6695FF3CE88CE301
                                                                  Function 00007FF6596B27EC Relevance: 13.6, APIs: 9, Instructions: 102COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: __p___argc__p___argv__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                  • String ID:
                                                                  • API String ID: 2308368977-0
                                                                  • Opcode ID: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                  • Instruction ID: a96e7a8d7cc76804d4bb98dd6ed0b2e2d20c491134794e899b5dafea08b19159
                                                                  • Opcode Fuzzy Hash: 5a9b20bb9eaae0def914decdfc47a4fcc48693c8541f2657ef11ecffac799aa6
                                                                  • Instruction Fuzzy Hash: 7B312921E0D24781FA14AF25D5617BA22B3AF65784F4C0035F60DE72A3FF2DA84DA250
                                                                  Function 00007FF6596B1450 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                  • String ID: [createdump]
                                                                  • API String ID: 3735572767-2657508301
                                                                  • Opcode ID: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                  • Instruction ID: 125b838a99ffaea222995285aee8c3dc1695fda9e425bdf39ced6ce777ea1966
                                                                  • Opcode Fuzzy Hash: f7b41b5d75985a22341ebafe60962d777547180dfe076665e84a48d8af4ee52e
                                                                  • Instruction Fuzzy Hash: C0014B21A08B8182F6009F50F81916AA376EB84BD1F084539FA8D93769EF3CD459E740

                                                                  Non-executed Functions

                                                                  Function 00007FF6596B2ECC Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                  • String ID:
                                                                  • API String ID: 3140674995-0
                                                                  • Opcode ID: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                  • Instruction ID: 3c2ed44de4c61ab23a4128fa5ba2990d3a1bfd0d02f81bf1f9d407cd0ce5b643
                                                                  • Opcode Fuzzy Hash: 92083fc3b2590fb7f42fdf2bff26a09e0be32edceb9cda99800bf26d983c5eac
                                                                  • Instruction Fuzzy Hash: 92314D72609A8186FB608F60E8403EE7376FB94784F48443AEA4E97A95EF3CD54CD714
                                                                  Function 00007FF6596B3074 Relevance: .0, Instructions: 2COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                  • Instruction ID: 1934c565d1968e7b169df45fbf441a44979e0683797447ca16b8b9949d5aba58
                                                                  • Opcode Fuzzy Hash: 8c8a5ce5a61a9accbe9d72245b7862f6c7c599a8b634bc8698eb0ff17e984138
                                                                  • Instruction Fuzzy Hash: 16A00121A4D802D0F6448F18E8545252232EB50380B480531E40DA20A1AF3CA448A300
                                                                  Function 00007FF6596B23C0 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 157COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • OpenProcess.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6596B242D
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6596B243B
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B1475
                                                                    • Part of subcall function 00007FF6596B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6596B1485
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B1494
                                                                    • Part of subcall function 00007FF6596B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14B3
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14BE
                                                                    • Part of subcall function 00007FF6596B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14C7
                                                                  • K32GetModuleBaseNameA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6596B2466
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6596B2470
                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6596B2487
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00007FF6596B25F3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$ErrorLast$BaseCloseHandleModuleNameOpenProcess__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnfflushfprintf
                                                                  • String ID: Get process name FAILED %d$Invalid dump path '%s' error %d$Invalid process id '%d' error %d$Write dump FAILED 0x%08x$Writing %s to file %s
                                                                  • API String ID: 3971781330-1292085346
                                                                  • Opcode ID: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                  • Instruction ID: 130b8a88a768bbe60a440c651de9ec702390f1898c208c77461c265b6f8d049c
                                                                  • Opcode Fuzzy Hash: 8ec448eeb6e8f02312a1538d84a3c8dfc991fc7cafdc13e8cd0ded943aea62a7
                                                                  • Instruction Fuzzy Hash: A8617232A08A4182F6109F15E85067A77B2FB957D4F580130FA9EA3AA5EF3CE449E700
                                                                  Function 00007FF6596B49A4 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 177 7ff6596b49a4-7ff6596b4a07 call 7ff6596b4518 180 7ff6596b4a20-7ff6596b4a29 call 7ff6596b43d0 177->180 181 7ff6596b4a09-7ff6596b4a12 call 7ff6596b43d0 177->181 188 7ff6596b4a3f-7ff6596b4a42 180->188 189 7ff6596b4a2b-7ff6596b4a38 call 7ff6596b43d0 * 2 180->189 186 7ff6596b4a18-7ff6596b4a1e 181->186 187 7ff6596b4e99-7ff6596b4e9f abort 181->187 186->188 188->187 191 7ff6596b4a48-7ff6596b4a54 188->191 189->188 193 7ff6596b4a7f 191->193 194 7ff6596b4a56-7ff6596b4a7d 191->194 196 7ff6596b4a81-7ff6596b4a83 193->196 194->196 196->187 198 7ff6596b4a89-7ff6596b4a8f 196->198 199 7ff6596b4a95-7ff6596b4a99 198->199 200 7ff6596b4b59-7ff6596b4b6f call 7ff6596b5724 198->200 199->200 202 7ff6596b4a9f-7ff6596b4aaa 199->202 205 7ff6596b4def-7ff6596b4df3 200->205 206 7ff6596b4b75-7ff6596b4b79 200->206 202->200 204 7ff6596b4ab0-7ff6596b4ab5 202->204 204->200 207 7ff6596b4abb-7ff6596b4ac5 call 7ff6596b43d0 204->207 208 7ff6596b4df5-7ff6596b4dfc 205->208 209 7ff6596b4e2b-7ff6596b4e35 call 7ff6596b43d0 205->209 206->205 210 7ff6596b4b7f-7ff6596b4b8a 206->210 216 7ff6596b4e37-7ff6596b4e56 call 7ff6596b2660 207->216 217 7ff6596b4acb-7ff6596b4af1 call 7ff6596b43d0 * 2 call 7ff6596b3be8 207->217 208->187 212 7ff6596b4e02-7ff6596b4e26 call 7ff6596b4ea0 208->212 209->187 209->216 210->205 214 7ff6596b4b90-7ff6596b4b94 210->214 212->209 220 7ff6596b4dd4-7ff6596b4dd8 214->220 221 7ff6596b4b9a-7ff6596b4bd1 call 7ff6596b36d0 214->221 246 7ff6596b4b11-7ff6596b4b1b call 7ff6596b43d0 217->246 247 7ff6596b4af3-7ff6596b4af7 217->247 220->209 225 7ff6596b4dda-7ff6596b4de7 call 7ff6596b3670 220->225 221->220 230 7ff6596b4bd7-7ff6596b4be2 221->230 233 7ff6596b4e81-7ff6596b4e98 call 7ff6596b43d0 * 2 terminate 225->233 234 7ff6596b4ded 225->234 235 7ff6596b4be6-7ff6596b4bf6 230->235 233->187 234->209 238 7ff6596b4d2f-7ff6596b4dce 235->238 239 7ff6596b4bfc-7ff6596b4c02 235->239 238->220 238->235 239->238 242 7ff6596b4c08-7ff6596b4c31 call 7ff6596b56a8 239->242 242->238 252 7ff6596b4c37-7ff6596b4c7e call 7ff6596b3bbc * 2 242->252 246->200 256 7ff6596b4b1d-7ff6596b4b3d call 7ff6596b43d0 * 2 call 7ff6596b5fd8 246->256 247->246 250 7ff6596b4af9-7ff6596b4b04 247->250 250->246 253 7ff6596b4b06-7ff6596b4b0b 250->253 264 7ff6596b4c80-7ff6596b4ca5 call 7ff6596b3bbc call 7ff6596b52d0 252->264 265 7ff6596b4cba-7ff6596b4cd0 call 7ff6596b5ab0 252->265 253->187 253->246 273 7ff6596b4b3f-7ff6596b4b49 call 7ff6596b60c8 256->273 274 7ff6596b4b54 256->274 279 7ff6596b4cd7-7ff6596b4d26 call 7ff6596b48d0 264->279 280 7ff6596b4ca7-7ff6596b4cb3 264->280 275 7ff6596b4cd2 265->275 276 7ff6596b4d2b 265->276 283 7ff6596b4b4f-7ff6596b4e7a call 7ff6596b4090 call 7ff6596b5838 call 7ff6596b3f84 273->283 284 7ff6596b4e7b-7ff6596b4e80 terminate 273->284 274->200 275->252 276->238 279->276 280->264 282 7ff6596b4cb5 280->282 282->265 283->284 284->233
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: terminate$Is_bad_exception_allowedabortstd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 695522112-393685449
                                                                  • Opcode ID: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                  • Instruction ID: a416fa73bf9b272b50b2825ff6a36759a460190f9172383b006044f31304e5f7
                                                                  • Opcode Fuzzy Hash: b33eca4017884e99d2f222704934a1d2e619e74398d1b95ed41b8d3f9756be10
                                                                  • Instruction Fuzzy Hash: 29E1A072A087868AF7209F25D4803BD77B2FB44748F185135EA8DA7796EF38E489D700
                                                                  Function 00007FF6596B13C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$__stdio_common_vfprintf$fflushfprintf
                                                                  • String ID: [createdump]
                                                                  • API String ID: 3735572767-2657508301
                                                                  • Opcode ID: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                  • Instruction ID: 375d8c57d2692798f2df038387583ae98d176d09dd303f59d7fadc615341476d
                                                                  • Opcode Fuzzy Hash: 5b675bc39e039bc525fd467c26ca74d7b5bd1981a0b88a155956b168aee24ed4
                                                                  • Instruction Fuzzy Hash: 65014B31A08B8182F7009F50F8141AAA372EB84BD1F084535FA8D93769EF7CD499E780
                                                                  Function 00007FF6596B1800 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 92networkCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • WSAStartup.WS2_32 ref: 00007FF6596B186C
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B1475
                                                                    • Part of subcall function 00007FF6596B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6596B1485
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B1494
                                                                    • Part of subcall function 00007FF6596B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14B3
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14BE
                                                                    • Part of subcall function 00007FF6596B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$Startup__stdio_common_vfprintffflushfprintf
                                                                  • String ID: %%%%%%%%$%%%%%%%%$--name$Invalid dump name format char '%c'$Pipe syntax in dump name not supported
                                                                  • API String ID: 3378602911-3973674938
                                                                  • Opcode ID: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                  • Instruction ID: 9d34ca6ee66f10258fbb05e58fd51dfdbac0ee67269603bac6a129a12d5e1593
                                                                  • Opcode Fuzzy Hash: 6d691e12a95190b73438bc01f861d361a60469c0dc3d28550e2b0afd423a51ff
                                                                  • Instruction Fuzzy Hash: 7531C062A08A81A6F7598F15D9547F927B3BB46784F490032FE4D63291EF3CE149E700
                                                                  Function 00007FF6596B6498 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(00000000,?,00000000,00007FF6596B669F,?,?,?,00007FF6596B441E,?,?,?,00007FF6596B43D9), ref: 00007FF6596B651D
                                                                  • GetLastError.KERNEL32(?,00000000,00007FF6596B669F,?,?,?,00007FF6596B441E,?,?,?,00007FF6596B43D9,?,?,?,?,00007FF6596B3524), ref: 00007FF6596B652B
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00007FF6596B669F,?,?,?,00007FF6596B441E,?,?,?,00007FF6596B43D9,?,?,?,?,00007FF6596B3524), ref: 00007FF6596B6555
                                                                  • FreeLibrary.KERNEL32(?,00000000,00007FF6596B669F,?,?,?,00007FF6596B441E,?,?,?,00007FF6596B43D9,?,?,?,?,00007FF6596B3524), ref: 00007FF6596B659B
                                                                  • GetProcAddress.KERNEL32(?,00000000,00007FF6596B669F,?,?,?,00007FF6596B441E,?,?,?,00007FF6596B43D9,?,?,?,?,00007FF6596B3524), ref: 00007FF6596B65A7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProc
                                                                  • String ID: api-ms-
                                                                  • API String ID: 2559590344-2084034818
                                                                  • Opcode ID: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                  • Instruction ID: a862bc488116e53f60b0a821009a2070608e776378a5d4b844aeb88aeeb58613
                                                                  • Opcode Fuzzy Hash: 91eaabdab86b5d7484fb536d38c8d26551698fbc6984510a5f5d6d43d06b7795
                                                                  • Instruction Fuzzy Hash: AD318D22A1AA4291FE219F12E80457523A6FF48BB0F1D4634FD5DAB798FF3CE4589310
                                                                  Function 00007FF6596B1B18 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 360 7ff6596b1b18-7ff6596b1b32 _time64 361 7ff6596b1b80-7ff6596b1ba8 360->361 362 7ff6596b1b34-7ff6596b1b37 360->362 361->361 364 7ff6596b1baa-7ff6596b1bd8 361->364 363 7ff6596b1b40-7ff6596b1b68 362->363 363->363 365 7ff6596b1b6a-7ff6596b1b71 363->365 366 7ff6596b1bfa-7ff6596b1c32 364->366 367 7ff6596b1bda-7ff6596b1bf5 call 7ff6596b1ee0 364->367 365->364 368 7ff6596b1c64-7ff6596b1c78 call 7ff6596b2230 366->368 369 7ff6596b1c34-7ff6596b1c43 366->369 367->366 378 7ff6596b1c7d-7ff6596b1c88 368->378 371 7ff6596b1c45 369->371 372 7ff6596b1c48-7ff6596b1c62 call 7ff6596b68c0 369->372 371->372 372->378 379 7ff6596b1c8a-7ff6596b1c98 378->379 380 7ff6596b1cbb-7ff6596b1cde 378->380 381 7ff6596b1cb3-7ff6596b1cb6 call 7ff6596b2680 379->381 382 7ff6596b1c9a-7ff6596b1cad 379->382 383 7ff6596b1d55-7ff6596b1d70 380->383 381->380 382->381 385 7ff6596b1da2-7ff6596b1dce _invalid_parameter_noinfo_noreturn WSAGetLastError call 7ff6596b1450 call 7ff6596b2680 382->385 387 7ff6596b18a0-7ff6596b18a3 383->387 388 7ff6596b1d76 383->388 390 7ff6596b1d78-7ff6596b1da1 call 7ff6596b2660 385->390 392 7ff6596b18a5-7ff6596b18b7 387->392 393 7ff6596b18f3-7ff6596b18fe 387->393 388->390 398 7ff6596b18e2-7ff6596b18ee call 7ff6596b20c0 392->398 399 7ff6596b18b9-7ff6596b18c8 392->399 394 7ff6596b1dd0-7ff6596b1dde call 7ff6596b1450 393->394 395 7ff6596b1904-7ff6596b1915 393->395 394->390 395->383 398->383 403 7ff6596b18cd-7ff6596b18dd 399->403 404 7ff6596b18ca 399->404 403->383 404->403
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: _time64
                                                                  • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                  • API String ID: 1670930206-4114407318
                                                                  • Opcode ID: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                  • Instruction ID: 39dfb456bbb1c6cbceb6ddb312a5c629c24ab97a2ecb3d78f90804727008be61
                                                                  • Opcode Fuzzy Hash: 30f253d6cb86930f70187238c9af70fef4a32202514a54efb800f102df6d23dc
                                                                  • Instruction Fuzzy Hash: 6C51E462A18B8146FB04CF28E5903AD67A2FB517D0F440132EA5D677A9EF3CD049E340
                                                                  Function 00007FF6596B4EA0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 190COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: EncodePointerabort
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 1188231555-2084237596
                                                                  • Opcode ID: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                  • Instruction ID: d0ddf6c5a71f942d8d09d995aefb6607ae704397a281688315a9264eb0b8fdaa
                                                                  • Opcode Fuzzy Hash: 97abe66515cb1414aeefc8003222462485e27fa84eefc4111ad6d0138f6fd2ea
                                                                  • Instruction Fuzzy Hash: EA918173A08B868AF7108F65D4802ED7BB1F745788F184129EA8DA7755EF38D199D700
                                                                  Function 00007FF6596B5414 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 459 7ff6596b5414-7ff6596b5461 call 7ff6596b63f4 call 7ff6596b43d0 464 7ff6596b548e-7ff6596b5492 459->464 465 7ff6596b5463-7ff6596b5469 459->465 466 7ff6596b55b2-7ff6596b55c7 call 7ff6596b5724 464->466 467 7ff6596b5498-7ff6596b549b 464->467 465->464 468 7ff6596b546b-7ff6596b546e 465->468 480 7ff6596b55d2-7ff6596b55d8 466->480 481 7ff6596b55c9-7ff6596b55cc 466->481 469 7ff6596b5680 467->469 470 7ff6596b54a1-7ff6596b54d1 467->470 472 7ff6596b5480-7ff6596b5483 468->472 473 7ff6596b5470-7ff6596b5474 468->473 477 7ff6596b5685-7ff6596b56a1 469->477 470->469 476 7ff6596b54d7-7ff6596b54de 470->476 472->464 474 7ff6596b5485-7ff6596b5488 472->474 473->474 475 7ff6596b5476-7ff6596b547e 473->475 474->464 474->469 475->464 475->472 476->469 479 7ff6596b54e4-7ff6596b54e8 476->479 482 7ff6596b54ee-7ff6596b54f1 479->482 483 7ff6596b559f-7ff6596b55ad call 7ff6596b3678 479->483 484 7ff6596b5647-7ff6596b567b call 7ff6596b49a4 480->484 485 7ff6596b55da-7ff6596b55de 480->485 481->469 481->480 488 7ff6596b54f3-7ff6596b5508 call 7ff6596b4520 482->488 489 7ff6596b5556-7ff6596b5559 482->489 483->469 484->469 485->484 486 7ff6596b55e0-7ff6596b55e7 485->486 486->484 491 7ff6596b55e9-7ff6596b55f0 486->491 496 7ff6596b56a2-7ff6596b56a7 abort 488->496 501 7ff6596b550e-7ff6596b5511 488->501 489->483 492 7ff6596b555b-7ff6596b5563 489->492 491->484 495 7ff6596b55f2-7ff6596b5605 call 7ff6596b3bbc 491->495 492->496 497 7ff6596b5569-7ff6596b5593 492->497 495->484 507 7ff6596b5607-7ff6596b5645 495->507 497->496 500 7ff6596b5599-7ff6596b559d 497->500 503 7ff6596b5546-7ff6596b5551 call 7ff6596b5cf0 500->503 504 7ff6596b5513-7ff6596b5538 501->504 505 7ff6596b553a-7ff6596b553d 501->505 503->469 504->505 505->496 508 7ff6596b5543 505->508 507->477 508->503
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: __except_validate_context_recordabort
                                                                  • String ID: csm$csm
                                                                  • API String ID: 746414643-3733052814
                                                                  • Opcode ID: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                  • Instruction ID: f88b8806e9a77a9623770992b662c88c1b993b881b3748bbc90db1ea6b055737
                                                                  • Opcode Fuzzy Hash: 1056e810e0031d83590426beccc43492b2f2866ca19cabfb7471893f0b3bcd0b
                                                                  • Instruction Fuzzy Hash: 5671F632A086818AE7218F21D1507BD7BB2FB44B89F088135EE8C97B95EF3CD455D741
                                                                  Function 00007FF6596B195F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                  • API String ID: 0-4114407318
                                                                  • Opcode ID: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                  • Instruction ID: 56979f004b0b6596a51f3982f7c2771f46873f9dcd6efda375447bed302c220d
                                                                  • Opcode Fuzzy Hash: 3a1402493b52144332fc7ef885a246e0bef5bb5eddb931c8bdeb75c83dbb8659
                                                                  • Instruction Fuzzy Hash: 2051F722A18B8556F700CF29E5407AA67B2EB817D0F450136FA9D63BD9EF3DE045E740
                                                                  Function 00007FF6596B5860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFrameInfo__except_validate_context_record
                                                                  • String ID: csm
                                                                  • API String ID: 2558813199-1018135373
                                                                  • Opcode ID: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                  • Instruction ID: 5faa1a233315dc12d3f4c0ce0e5af1567024d8fc495b988c5e684d15f97d7437
                                                                  • Opcode Fuzzy Hash: 08459d2de849ea082ca6f7467207d0873ef5a0572d3180cf677e49d91fe67cef
                                                                  • Instruction Fuzzy Hash: F5518F3361874686E660EF16E04026E77B5FB88B94F081135EB8D97B56EF7CE464DB00
                                                                  Function 00007FF6596B17E0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::_Xinvalid_argument.LIBCPMT ref: 00007FF6596B17EB
                                                                  • WSAStartup.WS2_32 ref: 00007FF6596B186C
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B1475
                                                                    • Part of subcall function 00007FF6596B1450: fprintf.MSPDB140-MSVCRT ref: 00007FF6596B1485
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B1494
                                                                    • Part of subcall function 00007FF6596B1450: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14B3
                                                                    • Part of subcall function 00007FF6596B1450: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14BE
                                                                    • Part of subcall function 00007FF6596B1450: fflush.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF6596B14C7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$StartupXinvalid_argument__stdio_common_vfprintffflushfprintfstd::_
                                                                  • String ID: --name$Pipe syntax in dump name not supported$string too long
                                                                  • API String ID: 1412700758-3183687674
                                                                  • Opcode ID: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                  • Instruction ID: 4d2ffb6ab06c093630afba1d1bad04744853d3ba50df7ce7dd81fbd2350dc7d1
                                                                  • Opcode Fuzzy Hash: 937e6b2c28cea08e1eee527b5bf6a7363096d6cc0634c1c423fcc3cad23f2144
                                                                  • Instruction Fuzzy Hash: DE01D422B18985A5F7619F12EC817FA6360BB89798F080036FE0D67651EF3CD48AD700
                                                                  Function 00007FF6596B1CE0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastgethostname
                                                                  • String ID: %%%%%%%%$Could not get the host name for dump name: %d
                                                                  • API String ID: 3782448640-4114407318
                                                                  • Opcode ID: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                  • Instruction ID: 7eb25df168a40388078c65e69e5dcee8996e620bbfaf8a02772b009c3878af72
                                                                  • Opcode Fuzzy Hash: 320cb389b9e396755b8a5578c83a0b73153155c3fa84c5d330cc0819ada1fb95
                                                                  • Instruction Fuzzy Hash: F711E321E0914246FA499F21E8503FA22B29F867A4F091135FA5FB72D6FF3CD04AA340
                                                                  Function 00007FF6596B4158 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: terminate
                                                                  • String ID: MOC$RCC$csm
                                                                  • API String ID: 1821763600-2671469338
                                                                  • Opcode ID: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                  • Instruction ID: 1e8c9784ab15cfcc4a6762bbba38795c30bdc3e5c86d8095ab5d3e4cee43c7fa
                                                                  • Opcode Fuzzy Hash: 2eecf08628838b8288b91de4d166118c23004d29b6453832f1ed38693e8fa958
                                                                  • Instruction Fuzzy Hash: AEF0AF3690C24AD1F3245F52E14507D3376EF58B44F0C6031E718AA292EF7CE4A9E602
                                                                  Function 00007FF6596B20C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(-3333333333333333,?,00000000,00007FF6596B18EE), ref: 00007FF6596B21E0
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6596B221E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                  • String ID: Invalid process id '%d' error %d
                                                                  • API String ID: 73155330-4244389950
                                                                  • Opcode ID: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                  • Instruction ID: 5e33ed45a6f8fb761887eacce99e0365c9019c7dd132227617e3ad512284bd15
                                                                  • Opcode Fuzzy Hash: bba2875ca5ab07f9a8534c7e54732a79a80581b419c8ee845a73c6edf0a3127c
                                                                  • Instruction Fuzzy Hash: A931D232B0978195FE109F15D5442A963B6AB15BD0F1C0631EB5D57BD5EF7CE098A300
                                                                  Function 00007FF6596B3F84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6596B173F), ref: 00007FF6596B3FC8
                                                                  • RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF6596B173F), ref: 00007FF6596B400E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000009.00000002.1909973381.00007FF6596B1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6596B0000, based on PE: true
                                                                  • Associated: 00000009.00000002.1909946619.00007FF6596B0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1909998362.00007FF6596B8000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910065131.00007FF6596BC000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                  • Associated: 00000009.00000002.1910107769.00007FF6596BD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_9_2_7ff6596b0000_createdump.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                  • Instruction ID: f88411872ec83f23dfc2e8f5490e10bfd342f1d4faece0fd545ee30ee043cfa0
                                                                  • Opcode Fuzzy Hash: 7531413fd5ba05c8efc2732aab9693bebd0b5d96e62eb0afc70bc4d0601aafd3
                                                                  • Instruction Fuzzy Hash: 44115B36619B4182EB108F15E80066977B5FB88B84F184230EF8D57B58EF3CC4598700

                                                                  Non-executed Functions

                                                                  Function 00007FFE0135C0C0 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 169libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$HandleModule
                                                                  • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                                                  • API String ID: 667068680-295688737
                                                                  • Opcode ID: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                  • Instruction ID: c4e0f044bfb7fd118f7c1b3cfe0c84c3b7af2a75550c6a64c92f2c7d81ef66d9
                                                                  • Opcode Fuzzy Hash: 1a417b50dcafad6159ae4e9598c744832c3e05bb208c0b36a963ca790b9c9f82
                                                                  • Instruction Fuzzy Hash: 93A1A3A4A09B0781EB29AB51BC6917433A1BF49B85BDA9035C80E0B374EF7CA159C390
                                                                  Function 0000000140008390 Relevance: 19.7, APIs: 13, Instructions: 152fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00000001400078C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                    • Part of subcall function 00000001400078C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                    • Part of subcall function 00000001400078C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                    • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                    • Part of subcall function 00000001400078C0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                    • Part of subcall function 00000001400078C0: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                    • Part of subcall function 00000001400078C0: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                  • OpenEventA.KERNEL32 ref: 00000001400083D0
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008411
                                                                  • OpenEventA.KERNEL32 ref: 0000000140008454
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008495
                                                                  • CloseHandle.KERNEL32 ref: 00000001400084B4
                                                                    • Part of subcall function 0000000140007A80: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                    • Part of subcall function 0000000140007A80: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                    • Part of subcall function 0000000140007A80: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                    • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                    • Part of subcall function 0000000140007A80: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                    • Part of subcall function 0000000140007A80: ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                    • Part of subcall function 0000000140007A80: ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                  • OpenFileMappingA.KERNEL32 ref: 00000001400084F4
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140008535
                                                                  • CloseHandle.KERNEL32 ref: 0000000140008554
                                                                  • CloseHandle.KERNEL32 ref: 0000000140008561
                                                                  • MapViewOfFile.KERNEL32 ref: 0000000140008592
                                                                  • CloseHandle.KERNEL32 ref: 00000001400085AB
                                                                  • CloseHandle.KERNEL32 ref: 00000001400085B8
                                                                  • CloseHandle.KERNEL32 ref: 00000001400085C5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: U?$char_traits@$D@std@@@std@@$CloseHandle$??6?$basic_ostream@V01@$Open_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@D@std@@@1@_EventFileV?$basic_streambuf@$MappingView
                                                                  • String ID:
                                                                  • API String ID: 1089015687-0
                                                                  • Opcode ID: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                  • Instruction ID: fd742db5588232a2ef73a73be7c7ffe6f8b637fdc8693f60d02eba1a373aa13c
                                                                  • Opcode Fuzzy Hash: 4d9b3b5a05dfcd3b5adb74b265c387ef6eaa0f54ca24a06f19f44a4b42ba6f32
                                                                  • Instruction Fuzzy Hash: 93613DB1210A4482FB17DB27F85539963A2BB8EBE4F404215FB9E4B7B6DE3DC1818700
                                                                  Function 0000000140007FC0 Relevance: 18.2, APIs: 12, Instructions: 159fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseCreateHandleMappingView_invalid_parameter_noinfo_noreturnmemcpymemset$Unmap
                                                                  • String ID:
                                                                  • API String ID: 2074253140-0
                                                                  • Opcode ID: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                  • Instruction ID: c383ff2e5a2ae1bd4c41fba5bb50c967b221784ccd91ddafc61d096c64d59825
                                                                  • Opcode Fuzzy Hash: 248562b180913051027df7d67dc26e8880a830f3431ddf242cd1cb9815f0a7d3
                                                                  • Instruction Fuzzy Hash: F471AA71305A4185FB22CB56F8907E973A2FB8DBD4F404225ABAD4B7B9DE3DC0818704
                                                                  Function 00007FFE0135B698 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 225COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: iswdigit$btowclocaleconv
                                                                  • String ID: 0$0
                                                                  • API String ID: 240710166-203156872
                                                                  • Opcode ID: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                  • Instruction ID: af0a5c0c21de9e9562bd94a16b20dc9db212185150dc15e67242189eca03aa1a
                                                                  • Opcode Fuzzy Hash: 6d10a43a2e0729525a5e450b2b58bb3a00705f545e81967332835754c66a4960
                                                                  • Instruction Fuzzy Hash: 87811D73A1854687E7258F25D85037AB7A2FF90F45F095135DF8A4A2A4EF3CE845C740
                                                                  Function 00007FFE0135A27C Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 247COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memchr$isdigit$localeconv
                                                                  • String ID: 0$0123456789abcdefABCDEF
                                                                  • API String ID: 1981154758-1185640306
                                                                  • Opcode ID: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                  • Instruction ID: 01d27714bcd341805d1c4b50f021da3a610fe562a9ba053c39a1d7da637a08bc
                                                                  • Opcode Fuzzy Hash: 7f4d3f4cda3057e8bb873c227443bc4d4481c724c8c1a0508f868d6b310f8973
                                                                  • Instruction Fuzzy Hash: 1E915962A0C69646F7258F24E81037E7B90FB44F4CF4A9135CE8A4B7A1DA3CE845E740
                                                                  Function 00007FFE0135BDA0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 239COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: iswdigit$localeconv
                                                                  • String ID: 0$0$0123456789abcdefABCDEF
                                                                  • API String ID: 2634821343-613610638
                                                                  • Opcode ID: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                  • Instruction ID: 0154d7a6ef273e5e8ac5730381df4ca3c93419c6bcced4a3ab278a5ad1bc70ed
                                                                  • Opcode Fuzzy Hash: ef6e88c2ac66dbb2dc6f71add4529d20562eeee7ef954e087c575f318f21fae7
                                                                  • Instruction Fuzzy Hash: 44813C62E0865687EB358F24E85037976A1FB54F44F0A5031DF8D4F6A8DB3CE845D780
                                                                  Function 00007FFE0132A330 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Findmemmove$CloseFileFirst_invalid_parameter_noinfo_noreturnwcscpy_s
                                                                  • String ID: .$.
                                                                  • API String ID: 479945582-3769392785
                                                                  • Opcode ID: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                  • Instruction ID: 8caa782bd7450c4792982d8b4fb75922f688eca35118f0aa1df2c2de2100bb94
                                                                  • Opcode Fuzzy Hash: a01e0a977a9af12dc1c55ee5378fd02f318c79ea85c08ca58cd526e5b6b49644
                                                                  • Instruction Fuzzy Hash: A2419332A1878186EB20AF65E84827A7360FB947A4F414235EBAD1BBE4DF7CD485C701
                                                                  Function 0000000140012220 Relevance: 8.9, APIs: 7, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow$MemoryRecycle@Recycler@allocator@dvacore@@$_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 1799700165-0
                                                                  • Opcode ID: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                  • Instruction ID: 3a6b280c2881091f38a62e61b74d670a019ca3ad59059a788fa850ef2ffa55ac
                                                                  • Opcode Fuzzy Hash: 1e0f847dc2a3782aeec25429ae73e6995e61774d856b1c67513bc286b7878ef0
                                                                  • Instruction Fuzzy Hash: D52112B5611A80CAE71DEE37A8523EA1362E79C7C4F149536BF594FAAEDE31C4218340
                                                                  Function 00007FFE01339460 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                  • String ID:
                                                                  • API String ID: 1326169664-0
                                                                  • Opcode ID: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                  • Instruction ID: 006e5c6734ffc65ca567fdbdc66dc772e485290b6f2b6688ba9457b84e3f824e
                                                                  • Opcode Fuzzy Hash: 783457af80c481001cb1b660d8feb6d32373102862bcd1e22f858f5bb513e186
                                                                  • Instruction Fuzzy Hash: 59E14A22B09B46C5FB10DFA5D4402AC7372EB88B98B525136DE5D2BBA8DF7CD54AC304
                                                                  Function 00007FFE01338FB0 Relevance: 7.8, APIs: 5, Instructions: 324stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnstrcspn$localeconvmemmove
                                                                  • String ID:
                                                                  • API String ID: 1326169664-0
                                                                  • Opcode ID: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                  • Instruction ID: 09bb2bb933fb9146ee8096aacdd2070d0d08bc87af8a6bce1f2f75582ed8e0a6
                                                                  • Opcode Fuzzy Hash: c9b269725f1782d793a8576024f372466b88fd7c981d9a4f9aba4a5e47c554f3
                                                                  • Instruction Fuzzy Hash: 3CE15B22B09B46C5FB10DBA5D4442AC7372FB48B98B525136DE4D2BBA8DF7CE54AC304
                                                                  Function 0000000140010BE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFormatLastMessage
                                                                  • String ID: GetLastError() = 0x%X
                                                                  • API String ID: 3479602957-3384952017
                                                                  • Opcode ID: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                  • Instruction ID: 03957f339625c86e619908699dc07c15f857aa178ffe48bb474e222578fe156c
                                                                  • Opcode Fuzzy Hash: 533f244192b844ab0e5322b55a0908537ce0e59edb07c36591f8c56ca1e43e48
                                                                  • Instruction Fuzzy Hash: 63219032A18BC083E7118B2AE400399B7A4F7D97A4F159315EBE8036E9EB78C545CB40
                                                                  Function 00007FFE0132A7B0 Relevance: 3.1, APIs: 2, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$DiskFreeSpace_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 1915456417-0
                                                                  • Opcode ID: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                  • Instruction ID: 406689351a7eaa0fc121634a8203386e91fb70bf0cad1fc637c57a65323d04e6
                                                                  • Opcode Fuzzy Hash: 827df29a678acc914af5be89dffc283827e20f4d23f778d148b3d3d85d1eca23
                                                                  • Instruction Fuzzy Hash: AD415732B04B5599FB00DFA1D8402AC3BB5BB58BA8F555626CE5D2BBA8DF7CD085C340
                                                                  Function 00007FFE0134EFC0 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: InfoLocale___lc_locale_name_func
                                                                  • String ID:
                                                                  • API String ID: 3366915261-0
                                                                  • Opcode ID: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                  • Instruction ID: 568a2f69e374ffbb5e2b66a1675ca06b6cc2da5c54e69cd3165076286538464e
                                                                  • Opcode Fuzzy Hash: 3e40630636000809c6d9659657ca5a03c54b2732f7ac185b8b22ed8b0cae339b
                                                                  • Instruction Fuzzy Hash: 29F0A932E2C14287E3A86B2CE5687382264FB84306F4A0032E14F4A2B0CF6EF544D741
                                                                  Function 0000000140004730 Relevance: 67.0, APIs: 5, Strings: 33, Instructions: 470COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.VCRUNTIME140 ref: 000000014000475B
                                                                    • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                    • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                    • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                  • ?RationalApproximation@utility@dvacore@@YA?AV?$rational@H@boost@@N@Z.DVACORE ref: 0000000140004866
                                                                    • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140004A15
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturn$memcmp$Approximation@utility@dvacore@@H@boost@@RationalV?$rational@memset
                                                                  • String ID: brightness$camera_firmware_version$camera_id$channel_mask$clip_id$contrast$digital_gain_blue$digital_gain_green$digital_gain_red$exposure_compensation$exposure_time$framerate_denominator$framerate_numerator$genlock_setting$gmt_date$gmt_time$iso$jamsync_setting$local_date$local_time$pixel_aspect_ratio$reel_id_full$sample_size$samplerate$saturation$sensor_id$sensor_name$shutter_degrees$shutter_fractions$shutter_phase_offset$user_timecode_preference$white_balance_kelvin$white_balance_tint
                                                                  • API String ID: 2423274481-1946953090
                                                                  • Opcode ID: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                  • Instruction ID: 3df9d643723a61ec3293b9608ef6f05312d7ec0c5a500361e19cd6c4bd00b042
                                                                  • Opcode Fuzzy Hash: 0499f14b0a241427102cfa2d74840572fa528df2e1b2e365dfdb7355d6aebae0
                                                                  • Instruction Fuzzy Hash: 2C32FAB1204A4091EB07EF27E5913EA2762AB8EBD8F444522FB5D4F7B7EE39C5458340
                                                                  Function 00007FFE1A4F8C24 Relevance: 54.6, APIs: 3, Strings: 28, Instructions: 352COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                                  • API String ID: 2943138195-1388207849
                                                                  • Opcode ID: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                  • Instruction ID: 5761a94abebb68cfad9e966b8042b20987080c653f13d1398ef10b20cbd0f550
                                                                  • Opcode Fuzzy Hash: 34b20832b4d5a9c82cdd9a34609b0a596913eac70dfc3082442192f721d64891
                                                                  • Instruction Fuzzy Hash: DCF18172F08E1288FB558B6AC9442FC36B0BB01B65F4065F7CA0D56AB9DF3DA664C340
                                                                  Function 00007FFE1A4FC3C8 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 288COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: `anonymous namespace'
                                                                  • API String ID: 2943138195-3062148218
                                                                  • Opcode ID: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                  • Instruction ID: 8f8066ad350902bdb7a6277ab64fa35203de3d620b9b32dc50f18d255655988d
                                                                  • Opcode Fuzzy Hash: c36001f134547c1fc12f70ffa9b86d35a9d04869d0c52a2f257cd9dd74f3dfc9
                                                                  • Instruction Fuzzy Hash: 2DE17972A08F8295EB10CF2AE9801FC77A0FB45B65F50A0B6EA4D57B65DF38E564C700
                                                                  Function 0000000140002630 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 290COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400026F4
                                                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002732
                                                                  • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 000000014000274E
                                                                  • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140002782
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@M@Z.MSVCP140 ref: 00000001400027D4
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400028A8
                                                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00000001400028DE
                                                                  • ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140 ref: 00000001400028FA
                                                                  • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 000000014000292E
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@I@Z.MSVCP140 ref: 000000014000295A
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002A28
                                                                  • ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A68
                                                                  • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140002A72
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??6?$basic_ostream@D@std@@@1@@V01@V?$basic_streambuf@$??1?$basic_ios@??1?$basic_iostream@
                                                                  • String ID: (
                                                                  • API String ID: 703713002-3887548279
                                                                  • Opcode ID: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                  • Instruction ID: baf078011914228b1285121be46ed74d2e86fc5146668a69ad3868f5cbe279a1
                                                                  • Opcode Fuzzy Hash: a51e6f4afcc7f66459f51ae41447ee0f1922736adf109acdab199dd96ca4b6be
                                                                  • Instruction Fuzzy Hash: 38D18DB2214B8495EB11CF6AE4903EE7761F789BD4F509206EB8E57BA9DF39C085C700
                                                                  Function 00000001400107F0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 268libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturn$Library$ByteCharErrorLastLoadMultiWide$AddressFreeProc
                                                                  • String ID: [NOT FOUND ] %s
                                                                  • API String ID: 2350601386-3340296899
                                                                  • Opcode ID: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                  • Instruction ID: 89755aee4be5230680617513bdac96f2938001ccf8c1f4c7198f5862e1eb9078
                                                                  • Opcode Fuzzy Hash: 74af81471f36da6b6365bd660f41594699afc067cfa6bc1a7de6de52f9e3c134
                                                                  • Instruction Fuzzy Hash: 84B1BE32605B9481FB169B26E54039D6761F788BE4F048615FBE90BBE6DFBAC5D0C340
                                                                  Function 00007FFE1A4FA83C Relevance: 22.9, APIs: 15, Instructions: 358COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID:
                                                                  • API String ID: 2943138195-0
                                                                  • Opcode ID: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                  • Instruction ID: ea7ba4075f063a697edff5eec546ca21ef78670325a9d4b82fa942b631eb6761
                                                                  • Opcode Fuzzy Hash: 63ad456de8db332c0b347e2e514b887ab112aaee213ccda8367cb7f767930e9c
                                                                  • Instruction Fuzzy Hash: DCF17C72B08A829AEB11DF6AD4901FC37B1EB04B5DF4490B2EE4D57BA5DE38D529C340
                                                                  Function 000000014001189C Relevance: 22.6, APIs: 15, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: __scrt_fastfail__scrt_is_nonwritable_in_current_image$__p___argc__p___argv__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt_cexit_exit_get_initial_narrow_environment_register_thread_local_exe_atexit_callback
                                                                  • String ID:
                                                                  • API String ID: 1818695170-0
                                                                  • Opcode ID: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                  • Instruction ID: 023b0e87761b9852ca56ff973ea6cc8ec164607202ff5c8f9f76f90c0a7f0558
                                                                  • Opcode Fuzzy Hash: 376eebb4fb24d29e766b84f712808a5b8edd27bee4d2d60ba3f24bdb6ed9fe8a
                                                                  • Instruction Fuzzy Hash: BA315E3120520192FA5BEB67E5223E927A1AB9D7C4F444025BB994F2F7DE7FC805C351
                                                                  Function 00007FFE1A4FD20C Relevance: 21.3, APIs: 7, Strings: 5, Instructions: 349COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$nullptr
                                                                  • API String ID: 2943138195-2309034085
                                                                  • Opcode ID: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                  • Instruction ID: bb50fc7534cb9c8a02b554962b73a91cab1c6a81fb000f8435b6fdd1f3f3b46c
                                                                  • Opcode Fuzzy Hash: 767f6b35ed257beddb1ea2fff1390adae3ecab9bc22a75a6672164d643aa4b64
                                                                  • Instruction Fuzzy Hash: B3E1AE62F0CE5284FB149B6A89541FC27A0AF05F69F5021F7CE9D17AB9DF3CA5288341
                                                                  Function 0000000140003320 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 422COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memcmp$_invalid_parameter_noinfo_noreturn$clockmemcpymemset
                                                                  • String ID: B8RB$MRDH$SideCarLut$flip_horizontal$flip_vertical
                                                                  • API String ID: 140832405-680935841
                                                                  • Opcode ID: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                  • Instruction ID: 18037ac5236aebefbc83965bda8a7e26ab6d0ca403e2fb1aff30bf3622b6eda0
                                                                  • Opcode Fuzzy Hash: 06e9629a2ab99d5d42601c21e60ac14b59a54217acd9ff7d7e9bc23951a6eb62
                                                                  • Instruction Fuzzy Hash: BD2270B2605BC485EB22DF2AE8413E93364F799798F449215EB9C5B7A6EF35C285C300
                                                                  Function 00007FFE1A4F2CE4 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 309COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Frame$BlockEstablisherHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 3436797354-393685449
                                                                  • Opcode ID: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                  • Instruction ID: 9ccacbc5524f2773c63fd8e983d09dfa201e6de9ad5c1ee3d0c8c0922aa39e89
                                                                  • Opcode Fuzzy Hash: d5e0e3ab29c15918133307a59fdea49d8ed4f7431b693d67295d57de9f2acebd
                                                                  • Instruction Fuzzy Hash: B1D16032B08B418AEB609F6AD4402FD77A4FB45BA9F1021B6DE4D57769CF38E4A0C741
                                                                  Function 00007FFE013226E0 Relevance: 18.2, APIs: 12, Instructions: 238COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiWide$__strncntfreemalloc$CompareInfoString
                                                                  • String ID:
                                                                  • API String ID: 3420081407-0
                                                                  • Opcode ID: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                  • Instruction ID: e45dddcb808d312387fd774c38b51a121902ffecc38cd95c1c0c3167fcbdc3f0
                                                                  • Opcode Fuzzy Hash: 64d7a9ff75df126491a65f553c0043b706980527a23c7bc451daead7a4e39c18
                                                                  • Instruction Fuzzy Hash: 0DA1C172B0878286FB35AF2498107BB6691EF24BA4F464231DE5D1EBE5DF7CE4448342
                                                                  Function 00007FFE0133692C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A87E), ref: 00007FFE01336971
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A87E), ref: 00007FFE0133698E
                                                                  • _Maklocstr.LIBCPMT ref: 00007FFE013369AA
                                                                  • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A87E), ref: 00007FFE013369B3
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A87E), ref: 00007FFE013369D0
                                                                  • _Maklocstr.LIBCPMT ref: 00007FFE013369EC
                                                                  • _Maklocstr.LIBCPMT ref: 00007FFE01336A01
                                                                    • Part of subcall function 00007FFE01324D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D72
                                                                    • Part of subcall function 00007FFE01324D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D98
                                                                    • Part of subcall function 00007FFE01324D50: memmove.VCRUNTIME140(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324DB0
                                                                  Strings
                                                                  • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE013369DB
                                                                  • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01336999
                                                                  • :AM:am:PM:pm, xrefs: 00007FFE013369FA
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocstrfree$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                                  • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                  • API String ID: 269533641-35662545
                                                                  • Opcode ID: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                  • Instruction ID: 189ec203889a5f0b9fd22ef1855f31fcdcd6d95da9a63cc73743b7f68a5fc795
                                                                  • Opcode Fuzzy Hash: bc039ad66d0ba42197648aeba787bff5dcb880db238b08c6fd2b2a1d39ca72aa
                                                                  • Instruction Fuzzy Hash: C5219172A04B4186EB14DF21E8513A973A1FB98F94F468231DB4D0B766EF3CE581C780
                                                                  Function 00007FFE01322B20 Relevance: 16.7, APIs: 11, Instructions: 203COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharMultiStringWide$freemalloc$__strncnt
                                                                  • String ID:
                                                                  • API String ID: 1733283546-0
                                                                  • Opcode ID: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                  • Instruction ID: 3f499756974b0331bfd43111922b689b06e50223b8a3d38381c50c041f57a14d
                                                                  • Opcode Fuzzy Hash: 42a443d3de6e803021fa83b4e3d70fb260ce748b00c348d1738fd123bc224fca
                                                                  • Instruction Fuzzy Hash: 5D91C332B08B8286EB249F11D84037A77A1FB58BA4F554234EA5D5FBE8DF7CE4458301
                                                                  Function 00007FFE01359350 Relevance: 16.7, APIs: 11, Instructions: 168COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Xp_setw$Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                  • String ID:
                                                                  • API String ID: 3166507417-0
                                                                  • Opcode ID: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                  • Instruction ID: bb61fd0ba7f5b078a45a4990d886356aeede4d74fcc24f096b4d0ac766497eff
                                                                  • Opcode Fuzzy Hash: eeccd80a1772d7853a0270f4fe0b41f7ed1c8d30b934100b37c1b0e1ad83ab26
                                                                  • Instruction Fuzzy Hash: F0618222F08642DAFB10DEA2D4407FD2721AB54B4CF524536DE0D6BBA9DE3DE94AC700
                                                                  Function 00000001400071E0 Relevance: 16.7, APIs: 11, Instructions: 153memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetDllDirectoryW.KERNEL32 ref: 000000014000721A
                                                                  • ?AppDir@Dir@filesupport@dvacore@@SA?AV123@XZ.DVACORE ref: 0000000140007225
                                                                  • ?FullPath@Dir@filesupport@dvacore@@QEBA?AV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@std@@XZ.DVACORE ref: 0000000140007236
                                                                  • ?UTF16to8@string@dvacore@@YA?AV?$basic_string@EU?$char_traits@E@std@@U?$SBAAllocator@E@allocator@dvacore@@@std@@AEBV?$basic_string@_WU?$char_traits@_W@std@@U?$SBAAllocator@_W@allocator@dvacore@@@4@@Z.DVACORE ref: 0000000140007245
                                                                  • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140007275
                                                                  • ?Dispose@SmallBlockAllocator@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 00000001400072A6
                                                                  • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400072B6
                                                                  • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007362
                                                                  • atoi.API-MS-WIN-CRT-CONVERT-L1-1-0 ref: 0000000140007372
                                                                  • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 000000014000738A
                                                                    • Part of subcall function 0000000140008300: WaitForMultipleObjects.KERNEL32 ref: 0000000140008346
                                                                    • Part of subcall function 0000000140008300: ResetEvent.KERNEL32 ref: 0000000140008355
                                                                    • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007859
                                                                    • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007866
                                                                    • Part of subcall function 0000000140007850: UnmapViewOfFile.KERNEL32 ref: 0000000140007873
                                                                    • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 0000000140007880
                                                                    • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000788D
                                                                    • Part of subcall function 0000000140007850: CloseHandle.KERNEL32 ref: 000000014000789A
                                                                  • ??1Dir@filesupport@dvacore@@QEAA@XZ.DVACORE ref: 00000001400073F6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Dir@filesupport@dvacore@@$CloseHandle$Allocator@_Allocator@allocator@dvacore@@BlockDispose@FileSmallU?$char_traits@_UnmapV?$basic_string@_ViewW@std@@atoi$Allocator@Dir@DirectoryE@allocator@dvacore@@@std@@E@std@@EventF16to8@string@dvacore@@FullMultipleObjectsPath@ResetU?$char_traits@V123@V?$basic_string@W@allocator@dvacore@@@4@@W@allocator@dvacore@@@std@@Wait
                                                                  • String ID:
                                                                  • API String ID: 2702579277-0
                                                                  • Opcode ID: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                  • Instruction ID: 4e02132fa2518a481f17a5c3ad5963577c23686a774b89ce01035fe16d76d46e
                                                                  • Opcode Fuzzy Hash: 437ed10fbc8756fbf1e60dd43fbd6bfbe9c17f37ca66854ce1b2d6d7d99f9aed
                                                                  • Instruction Fuzzy Hash: 09618EB2608A4082FB12CB26F8947EA67A2F78EBD0F505121FB9D476B5DF3DC5498700
                                                                  Function 00007FFE01369BC0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 2003779279-1866435925
                                                                  • Opcode ID: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                  • Instruction ID: 33c4c64cec74a6bfa2f41f0153e231deb8350664c7d4f4c20e3ce6bf301bd851
                                                                  • Opcode Fuzzy Hash: a4a40e9eea858fd0c97179975c5d6148b429b4e8a5f5b1eede2254ca8e2c8e71
                                                                  • Instruction Fuzzy Hash: 2E917D22A18A4685EF64DB19D4913B97760FB94FC8F568036CA4E4B7B9DF3DD44AC300
                                                                  Function 00007FFE1A4FE350 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 196COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                  • API String ID: 0-3207858774
                                                                  • Opcode ID: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                  • Instruction ID: 4b82e7ed4481f052495b26e663ea774642c0aeb9898360fb65f19ac7ae463566
                                                                  • Opcode Fuzzy Hash: 6f458657f8fae6e2f2557f40169539ea56a3e6fb73d2116d9b83691f1491e61c
                                                                  • Instruction Fuzzy Hash: A6916C62B08E8689FB208B2AD5411FC37A1AB45F66F9860F7DA4D037A5DF3CE525C350
                                                                  Function 00007FFE1A4FA13C Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+$Name::operator+=
                                                                  • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                  • API String ID: 179159573-1464470183
                                                                  • Opcode ID: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                  • Instruction ID: d4210692173e46ffefbc676f35871027f6edbfc03e4b43f36df2cc228779856f
                                                                  • Opcode Fuzzy Hash: 2fc61dd6c602e97fa3c1e55ca06bd20aebc659b0b394667bc2b1a0081ee2f141
                                                                  • Instruction Fuzzy Hash: CD516A32F18E5299FB14CB6AE9401FC37B0BB05BA9F5051B6EE0D52A68DF39E561C300
                                                                  Function 00007FFE0135B440 Relevance: 15.2, APIs: 10, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Xp_setw$Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                  • String ID:
                                                                  • API String ID: 3781602613-0
                                                                  • Opcode ID: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                  • Instruction ID: c3249f79a152ced44b1a6a5c323e8a5c17307b4817b93fa9663af99aef85c0e8
                                                                  • Opcode Fuzzy Hash: e17196f95cdb0749357bc000aa5b227375a42e0ffcdbd2e50a85470c023663fa
                                                                  • Instruction Fuzzy Hash: 4561A222F085429AFB10DFA2D4802FD6732AB54B58F524536DE0D6BBE9DE3DE54AC700
                                                                  Function 00007FFE1A4F88E4 Relevance: 15.2, APIs: 10, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID:
                                                                  • API String ID: 2943138195-0
                                                                  • Opcode ID: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                  • Instruction ID: 6e8b4e8d1a5aa516f7af2ab15dac81b9a41fbd1fbb45ddf8a18ac0db6d436946
                                                                  • Opcode Fuzzy Hash: 28d39e64d2900046752fe00e0d170ae61e4b908a297697eb59c3c366de5be272
                                                                  • Instruction Fuzzy Hash: EB616F62F04B6298FB01DBA6D8801FC33B1FB44BA8B4054B6DE4D6BA69DF78D565C340
                                                                  Function 00007FFE1A4E12D0 Relevance: 15.1, APIs: 10, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$AdjustPointermemmove
                                                                  • String ID:
                                                                  • API String ID: 338301193-0
                                                                  • Opcode ID: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                                  • Instruction ID: df175bbe1b7cfcd38dbdaf42f49140951eb6c4f87eb5e7675adfd21fad0ae9ad
                                                                  • Opcode Fuzzy Hash: 07f6f1c71b1fba12c50c9bfb688491a0a06ff6fb4efb73833bc0a4a245d0f2ba
                                                                  • Instruction Fuzzy Hash: A351A121F4AF4281FA65DB1BD4445BC63E4AF64FA4F1984F7DA4E06BA4DF2CE4618300
                                                                  Function 00007FFE1A4E1650 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 211107550-393685449
                                                                  • Opcode ID: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                                  • Instruction ID: aacf84ef4922eba7861ff8ca342a9d20241d0a7b02f9d51074b12d7adf925e32
                                                                  • Opcode Fuzzy Hash: cb3bf927df27b60c74c765ddc221b28a06d569304d98737ce8ec765a202f2bbd
                                                                  • Instruction Fuzzy Hash: 9DE1A072B08B828AE7119F6AD4802FD77A0FB54B68F1401B6DA8D47666DF3CE5A5C700
                                                                  Function 00007FFE1A4F31A0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                  • String ID: csm$csm$csm
                                                                  • API String ID: 211107550-393685449
                                                                  • Opcode ID: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                  • Instruction ID: a511da04b05b4105de738ee44a9e56de6249e6ab7464fae5cb5852d64655a6a0
                                                                  • Opcode Fuzzy Hash: 1f2c6e9c8ad6c1917ecaa8d6efe9c468c91fc9baef10e6d9588306a72b9f3ebc
                                                                  • Instruction Fuzzy Hash: 5CE19172A08A818AE720DF3AD4802FD7BA0FB44B69F1561B6DE9D47765CF38E495C700
                                                                  Function 00007FFE0135A080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memchrtolower$_errnoisspace
                                                                  • String ID: 0$0123456789abcdefghijklmnopqrstuvwxyz
                                                                  • API String ID: 3508154992-2692187688
                                                                  • Opcode ID: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                  • Instruction ID: af46f0fa9120f38fcf9f0b2cabfc14db4cd7450df96b0ed12a2a2b4f12455c73
                                                                  • Opcode Fuzzy Hash: fec665214cfe3d47a35b6191644bb1773cefb00ebec378436a90ee3c0f6bd372
                                                                  • Instruction Fuzzy Hash: 8151D612A0D7D685FB758F24A8113B97A90BB45FE4F4A4231CD9E4F3A5DE3CA942A310
                                                                  Function 00007FFE1A4FBE24 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                  • API String ID: 2943138195-2239912363
                                                                  • Opcode ID: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                  • Instruction ID: 22e4d0331bfb5caf97e8e3003839e53a1adf6d5343babc2a45bcc6ea91da71c2
                                                                  • Opcode Fuzzy Hash: e2dcc5ac231621b7bb9adceaede0f9dd180f9bba2b8fff5e7c5622460418e45f
                                                                  • Instruction Fuzzy Hash: 7A516862F08F8288FB11CB66D8412FC77A0BB0AB65F4490F6DA4D52AA4DF7C9465C720
                                                                  Function 00000001400078C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007901
                                                                  • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007920
                                                                  • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007954
                                                                    • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                    • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                    • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                    • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 000000014000798B
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                    • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 00000001400079A5
                                                                  • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A52
                                                                  • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007A5C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                  • String ID: ImptRED_CEvent_
                                                                  • API String ID: 2242036409-942587184
                                                                  • Opcode ID: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                  • Instruction ID: 9b405900c275d478bf9193c59fc3990d56eeb31e22b03c6e117ca8d8066cf312
                                                                  • Opcode Fuzzy Hash: 557c14cbb82c01860ffad337f226fd7406777ec9e2df2431951664573931bf9d
                                                                  • Instruction Fuzzy Hash: 1D519AB2204B8096EB11CB6AE89079E7B70F389B98F504111EF8D57BA9DF3DC549CB00
                                                                  Function 0000000140007E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E41
                                                                  • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007E60
                                                                  • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007E94
                                                                    • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                    • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                    • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                    • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007ECB
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                    • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007EE5
                                                                  • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F92
                                                                  • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007F9C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                  • String ID: ImptRED_SEvent_
                                                                  • API String ID: 2242036409-1609572862
                                                                  • Opcode ID: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                  • Instruction ID: 8a97eb910a4fcdb6b4de6865597d3f36b8df7ed7ebbeccb018c797ebbaee1b0b
                                                                  • Opcode Fuzzy Hash: d112ca771eb2ea79db8c006b322dd33d38b974d4ce4bed7cb3b18525a6c5e379
                                                                  • Instruction Fuzzy Hash: 15519A72204B8096EB11CB6AE8907AE7B70F389B98F504111EF8D17BA8DF3DC549CB40
                                                                  Function 0000000140007A80 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007AC1
                                                                  • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007AE0
                                                                  • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007B14
                                                                    • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                    • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                    • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                    • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B4B
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                    • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007B65
                                                                  • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C12
                                                                  • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007C1C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                  • String ID: ImptRED_CmdMap_
                                                                  • API String ID: 2242036409-3276274529
                                                                  • Opcode ID: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                  • Instruction ID: 80f30c22282736ca9dbe0986c54b36137faedd7c3a9fa85d2e807ed86ae44cad
                                                                  • Opcode Fuzzy Hash: eb72b4b9c3728dda12df250c988d7f9d49db028f0d6767484122c5dd21b42268
                                                                  • Instruction Fuzzy Hash: BC518972204B8096EB11CB6AE8907DE7B70F389B98F504111EF8D17BA8DF79C449CB00
                                                                  Function 0000000140007C40 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007C81
                                                                  • ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 0000000140007CA0
                                                                  • ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 0000000140007CD4
                                                                    • Part of subcall function 00000001400074F0: ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                    • Part of subcall function 00000001400074F0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                    • Part of subcall function 00000001400074F0: ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                    • Part of subcall function 00000001400074F0: ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D0B
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                    • Part of subcall function 00000001400074F0: ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                    • Part of subcall function 00000001400074F0: ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                  • ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z.MSVCP140 ref: 0000000140007D25
                                                                  • ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DD2
                                                                  • ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 0000000140007DDC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@?sputc@?$basic_streambuf@V01@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@D@std@@@1@_Osfx@?$basic_ostream@V12@V?$basic_streambuf@
                                                                  • String ID: ImptRED_DMap_
                                                                  • API String ID: 2242036409-2879874026
                                                                  • Opcode ID: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                  • Instruction ID: 0bc148500ed73b7892a49071eae52613f37d732fbc5d9ce32192ec441dd01905
                                                                  • Opcode Fuzzy Hash: 24b51fecd5f2a7e452d15f5c53ef0673e248089cf4209326baeba089d217b960
                                                                  • Instruction Fuzzy Hash: F9518BB2204B4096EB11CB56E8807AE7B70F789B98F504116EF8D17BA8DF7DC549CB00
                                                                  Function 00007FFE01326C20 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 1099746521-1866435925
                                                                  • Opcode ID: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                  • Instruction ID: f72d9989338909de815693a781771b153a073a1be83e82c8e3d4cc3087643b07
                                                                  • Opcode Fuzzy Hash: cfb082ff85bf210e1d9c1e71ef6406b4313e61eef1ad4e5204bd3149fde2de6c
                                                                  • Instruction Fuzzy Hash: 4121A1B1E1960B95FF24BB10D8826F92321EF64740F9A4036D94E0B5B6EE2DE549C341
                                                                  Function 0000000140004FF0 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 275stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002DFA
                                                                    • Part of subcall function 0000000140002D40: memcmp.VCRUNTIME140 ref: 0000000140002E4B
                                                                    • Part of subcall function 0000000140002D40: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140002EA0
                                                                  • strcmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00000001400050DF
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140005233
                                                                    • Part of subcall function 00000001400054B0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400055FA
                                                                  • memcmp.VCRUNTIME140 ref: 00000001400052B4
                                                                  • memcmp.VCRUNTIME140 ref: 0000000140005325
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00000001400053DA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnmemcmp$strcmp
                                                                  • String ID: MRDH$SideCarLut
                                                                  • API String ID: 916663099-3852011117
                                                                  • Opcode ID: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                  • Instruction ID: 38950fd8b35224f21f2e144008351fd49fe11793fcade85143d264d05d5c62af
                                                                  • Opcode Fuzzy Hash: 608b0a0c66fbb98f29b68c1b5e97cf3bfbb6c06cba486352861d6329e8aabb8d
                                                                  • Instruction Fuzzy Hash: 4DD192B2204A8496EB62DF26E8843DE2761F74A7D5F841212FB5D4BAF6EF74C645C300
                                                                  Function 00007FFE01369940 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 171COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 2003779279-1866435925
                                                                  • Opcode ID: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                  • Instruction ID: 20545569665612a28acd118f6220a09080dca12f4a87111647c9f90abe41bc70
                                                                  • Opcode Fuzzy Hash: df26b54dcd2e7818783b48fec88ebffc83092775aeb9705f64e37e9dcb953063
                                                                  • Instruction Fuzzy Hash: 04613A22A08A468AFF64DB19D4913B967A0FB84FD8F568036CA4E4B7B5DF3DD446C300
                                                                  Function 00007FFE013343F0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 167fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowfputwcfwritestd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 1428583292-1866435925
                                                                  • Opcode ID: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                  • Instruction ID: f67d15285dff7870759ed95d2ed87389b18c6ebc997095de76f9de918dc90f98
                                                                  • Opcode Fuzzy Hash: 125ebd58732ec9439b0c4b251e07eb1884b141fda17910a2e50d74977be254b2
                                                                  • Instruction Fuzzy Hash: BD718D72A19B82D5EB60CF25E4802B933A0FB54F88F964032EA4D4BBA4DF3DD595C704
                                                                  Function 00007FFE1A4F5F0A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                                  • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                                  • API String ID: 1852475696-928371585
                                                                  • Opcode ID: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                  • Instruction ID: dfb8a5f0657e13e55bb00bcd716ede9b76c56662161f2301ae66f3fc3361d5ff
                                                                  • Opcode Fuzzy Hash: 7f6c35cefbfcfc98e88ebc0aa35afe6c2c6ede9eabcdb344d1914a97fbaad475
                                                                  • Instruction Fuzzy Hash: 6351AD72B09E8696EE20CB2AE4905B9A360FF44FA6F4054F2EA4E47675DF3CE115C301
                                                                  Function 00007FFE013696E0 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 160COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE013698D3
                                                                  • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0135C678), ref: 00007FFE013698E4
                                                                  • std::ios_base::failure::failure.LIBCPMT ref: 00007FFE01369927
                                                                  • _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FFE0135C678), ref: 00007FFE01369938
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 2003779279-1866435925
                                                                  • Opcode ID: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                  • Instruction ID: 220021aa76c90885e9931476c8fef85e2c3c13939b7fbcb5377c74d0e4c4a0ca
                                                                  • Opcode Fuzzy Hash: 8f60f0c0fd1a51c4b62bc7d7b3fa713865788f1410f6822034779dd9d7d35d98
                                                                  • Instruction Fuzzy Hash: 0F616A22A08A4689EB64DB19D4913B97B60FB84FD8F568036CA4E4B3B5DF3DD446C341
                                                                  Function 00007FFE01359E70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memchrtolower$_errnoisspace
                                                                  • String ID: 0123456789abcdefghijklmnopqrstuvwxyz
                                                                  • API String ID: 3508154992-4256519037
                                                                  • Opcode ID: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                  • Instruction ID: 77a2216c582f9323432ba468898cf7c7a123fa3c3abd3fd160c8920df8c71837
                                                                  • Opcode Fuzzy Hash: c356680aea4f1b098ce2d85b3c2bc8858b80ca078cd62f0c13bf77b308a48d91
                                                                  • Instruction Fuzzy Hash: DF51E422A0D78686F7318E25A8103B97A90BF85F99F4A4135DD9E4B7A4DF3CE8469700
                                                                  Function 00007FFE0132B280 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 2003779279-1866435925
                                                                  • Opcode ID: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                  • Instruction ID: c3c1d4f6c378b03ec5933021e07ba847f50e372ffb114585f4284b0e10d10fa2
                                                                  • Opcode Fuzzy Hash: ca645f53885124775f2be7063501f64d58a7152d6be094203c98a7d7be5ee4ae
                                                                  • Instruction Fuzzy Hash: FB517E72A08A0A81EF64EB19D4C02A9A360FF54F94F564536DA5E8B7B9DF2CD845C301
                                                                  Function 00007FFE1A4FE148 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+$Name::operator+=
                                                                  • String ID: {for
                                                                  • API String ID: 179159573-864106941
                                                                  • Opcode ID: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                  • Instruction ID: 794e7e422f3f0e0b154e6e69b5c5a983ea422e975299eacdf9cbb92a092f291d
                                                                  • Opcode Fuzzy Hash: edc966f78679f2c80b6a90da374f91d2d358e76260b44eb27b7c84d8a506cb89
                                                                  • Instruction Fuzzy Hash: BB515A72B08A85A9EB118F2AD5413FC33A1EB45B69F4490F2EA4C47BA5DF7CD564C340
                                                                  Function 00007FFE1A4E3558 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4E3717,?,?,00000000,00007FFE1A4E3548,?,?,?,?,00007FFE1A4E32C9), ref: 00007FFE1A4E35DD
                                                                  • GetLastError.KERNEL32(?,?,?,00007FFE1A4E3717,?,?,00000000,00007FFE1A4E3548,?,?,?,?,00007FFE1A4E32C9), ref: 00007FFE1A4E35EB
                                                                  • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4E3717,?,?,00000000,00007FFE1A4E3548,?,?,?,?,00007FFE1A4E32C9), ref: 00007FFE1A4E3604
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4E3717,?,?,00000000,00007FFE1A4E3548,?,?,?,?,00007FFE1A4E32C9), ref: 00007FFE1A4E3616
                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FFE1A4E3717,?,?,00000000,00007FFE1A4E3548,?,?,?,?,00007FFE1A4E32C9), ref: 00007FFE1A4E365C
                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FFE1A4E3717,?,?,00000000,00007FFE1A4E3548,?,?,?,?,00007FFE1A4E32C9), ref: 00007FFE1A4E3668
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                  • String ID: api-ms-
                                                                  • API String ID: 916704608-2084034818
                                                                  • Opcode ID: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                                  • Instruction ID: 9b252be60e14cd3f4406afd06f79659334b75ff0210ca9ccb8906d248cb09736
                                                                  • Opcode Fuzzy Hash: f3ae6e208fe004567e7f0a3f678c73f8fb6582ef1bf2b3c2b3910a50123c0093
                                                                  • Instruction Fuzzy Hash: A831AF21B1AE4291EE22DB33E8006752294BF48FB0F5949F6DD5D063A0EF3CF4658740
                                                                  Function 00007FFE1A4F68AC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4F6A6B,?,?,00000000,00007FFE1A4F689C,?,?,?,?,00007FFE1A4F65E5), ref: 00007FFE1A4F6931
                                                                  • GetLastError.KERNEL32(?,?,?,00007FFE1A4F6A6B,?,?,00000000,00007FFE1A4F689C,?,?,?,?,00007FFE1A4F65E5), ref: 00007FFE1A4F693F
                                                                  • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE1A4F6A6B,?,?,00000000,00007FFE1A4F689C,?,?,?,?,00007FFE1A4F65E5), ref: 00007FFE1A4F6958
                                                                  • LoadLibraryExW.KERNEL32(?,?,?,00007FFE1A4F6A6B,?,?,00000000,00007FFE1A4F689C,?,?,?,?,00007FFE1A4F65E5), ref: 00007FFE1A4F696A
                                                                  • FreeLibrary.KERNEL32(?,?,?,00007FFE1A4F6A6B,?,?,00000000,00007FFE1A4F689C,?,?,?,?,00007FFE1A4F65E5), ref: 00007FFE1A4F69B0
                                                                  • GetProcAddress.KERNEL32(?,?,?,00007FFE1A4F6A6B,?,?,00000000,00007FFE1A4F689C,?,?,?,?,00007FFE1A4F65E5), ref: 00007FFE1A4F69BC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                  • String ID: api-ms-
                                                                  • API String ID: 916704608-2084034818
                                                                  • Opcode ID: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                  • Instruction ID: 5bb4600886fe781134054e11431c115e47a9cdddfa00746cfb0e0ec9b4b12362
                                                                  • Opcode Fuzzy Hash: 45bb9c456b18d615664943834e4003b355ea3ec7f5874fc1f64106649d67ca5c
                                                                  • Instruction Fuzzy Hash: 4131B021B0AF8281EE119B1BA9009F9A2A4FF45FB1F1955B6ED6D073A4EF3CE154C700
                                                                  Function 00007FFE013512C4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE01351309
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE01351326
                                                                  • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE0135134B
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE01351368
                                                                    • Part of subcall function 00007FFE01324D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D72
                                                                    • Part of subcall function 00007FFE01324D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D98
                                                                    • Part of subcall function 00007FFE01324D50: memmove.VCRUNTIME140(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324DB0
                                                                  Strings
                                                                  • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01351373
                                                                  • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01351331
                                                                  • :AM:am:PM:pm, xrefs: 00007FFE01351392
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                                  • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                  • API String ID: 2607222871-35662545
                                                                  • Opcode ID: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                  • Instruction ID: ec843c2ba31731848b7b0d0dd385f0af13459a20639d971b43404c88776746e1
                                                                  • Opcode Fuzzy Hash: 10fedc6cf8b271c653acab5ff3af7f7baa33902e39f74547f85e4552edfb1042
                                                                  • Instruction Fuzzy Hash: 18215E36A04B8182EB10DF25E4543A973A1FB98F94F4A8235DA4D4B766EF3CE585C380
                                                                  Function 00007FFE01336A20 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 52COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01336A5E
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01336A7B
                                                                  • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01336A9B
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01336AB8
                                                                    • Part of subcall function 00007FFE01324DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324DF9
                                                                    • Part of subcall function 00007FFE01324DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324E28
                                                                    • Part of subcall function 00007FFE01324DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324E3F
                                                                  Strings
                                                                  • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE01336AC3
                                                                  • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01336A86
                                                                  • :AM:am:PM:pm, xrefs: 00007FFE01336AD4
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$GetdaysGetmonths___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funcmallocmemmove
                                                                  • String ID: :AM:am:PM:pm$:Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece$:Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                  • API String ID: 2607222871-3743323925
                                                                  • Opcode ID: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                  • Instruction ID: 11d8143fc1b0beef105fd2b38a387cd919780aa4fd797192930b88d0d606620c
                                                                  • Opcode Fuzzy Hash: 147ff19c228d385071215598088683fcc7037ecf54d145b5104d8f1094f74a55
                                                                  • Instruction Fuzzy Hash: 08213062E08B4182EB20DF21E455279B3B0FB99B94F455234DA4E4B766EF7CE584C740
                                                                  Function 00007FFE1A4F27CC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$AdjustPointer
                                                                  • String ID:
                                                                  • API String ID: 1501936508-0
                                                                  • Opcode ID: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                  • Instruction ID: 4d752fd1b344fb9a09e7754d61691d877203d6a962fac0eccfafa74eebca1cba
                                                                  • Opcode Fuzzy Hash: ad7bbbe6b4c289a22ae1e43e79ef4439cf3ee9b14764b2eff01f06dd25f3f236
                                                                  • Instruction Fuzzy Hash: 7651B121F0EE4382EA698B5B95446BD6794AF44FA2F09A1F7DA4D073A4CF3CE4618301
                                                                  Function 00007FFE1A4F25E8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$AdjustPointer
                                                                  • String ID:
                                                                  • API String ID: 1501936508-0
                                                                  • Opcode ID: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                  • Instruction ID: 3df8e40ba064a92090fd37e55897aa3b8f2cd30b573682430eaa9625fcf53cd0
                                                                  • Opcode Fuzzy Hash: d386002f74db6febb42ef9b4bac4e43e25a554ab645870d9c47f674d5a84533b
                                                                  • Instruction Fuzzy Hash: 5751AE61B0EF4282FA659B1A95846B963D0AF64FA2F0560F7DA4D067B4DF3CE4618301
                                                                  Function 00007FFE01359950 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                  • String ID:
                                                                  • API String ID: 578106097-0
                                                                  • Opcode ID: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                  • Instruction ID: 1d72990cf00689382c04c084ae11827898ebaee09e65356ae0baecbe2a8016a9
                                                                  • Opcode Fuzzy Hash: 031fdb0fd8573f0e151f958ea64a4ecea4735ba7c269578f79036d3a0c02e00a
                                                                  • Instruction Fuzzy Hash: 8B61C522B1C642C6EB11DF61E4807BE6720FB85B48F924532EE4E5B6A5DF7CE54AC700
                                                                  Function 00007FFE013590D0 Relevance: 10.7, APIs: 7, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Xp_setn$Xp_addx$Stofltisspaceisxdigit
                                                                  • String ID:
                                                                  • API String ID: 578106097-0
                                                                  • Opcode ID: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                  • Instruction ID: 48e39672a9a1f2b665044865b61fce966764a1eb2705f25bd247184217554272
                                                                  • Opcode Fuzzy Hash: 2bde4d66b639f73dabc1d452e0e8b595216b0374bc4e16fb8a4ea73805052ec2
                                                                  • Instruction Fuzzy Hash: 6D61D522B1C642C2E711DF62E4817BE7760FF94B48F524532EE4E5B6A5DE3CE5468700
                                                                  Function 000000014000C2E0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 164COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                    • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                    • Part of subcall function 000000014000C8A0: memcpy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014000C98E
                                                                  • memcpy.VCRUNTIME140 ref: 000000014000C3C8
                                                                  • memcpy.VCRUNTIME140 ref: 000000014000C427
                                                                    • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0B6
                                                                    • Part of subcall function 0000000140009FD0: memcpy.VCRUNTIME140 ref: 000000014000A0C4
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000C52F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$__acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturn
                                                                  • String ID: REDR3D-x64.dll$[LOAD PATH ] %s$[TEST TEST] IGNORING REDIRECT %s
                                                                  • API String ID: 1244713665-103080910
                                                                  • Opcode ID: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                  • Instruction ID: cfd617ef930489ab8aca6008b2e9167fc097850ba9bca21f1b358ae0caa8a91c
                                                                  • Opcode Fuzzy Hash: ddc8c4655f835ded4f700a1b1333232acfafde412f7d4c62f4e22de029a9f3a9
                                                                  • Instruction Fuzzy Hash: 8E719AB2721A4086EB12CF66E8443DD37B1F749BD8F484622EF195BBA9DB38C181C340
                                                                  Function 00007FFE1A4F5520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 132COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: FileHeader_local_unwind
                                                                  • String ID: MOC$RCC$csm$csm
                                                                  • API String ID: 2627209546-1441736206
                                                                  • Opcode ID: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                  • Instruction ID: 814fff685c87776ae82130b9d3581a9e22189ba7e56b629527d921e2f132c387
                                                                  • Opcode Fuzzy Hash: 385ada566cdd30ad99b7ac5e1d5c8025a7264eea7c22efa234297d7bd0e399d8
                                                                  • Instruction Fuzzy Hash: 19518372B09A1186FB609F3A94403BD66A0FF84F66F1420F3EA5D42365DF3CE4518A82
                                                                  Function 00000001400074F0 Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007593
                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 00000001400075E6
                                                                  • ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,0000000140007D06), ref: 0000000140007608
                                                                  • ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007629
                                                                  • ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 0000000140007677
                                                                  • ?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000767E
                                                                  • ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,0000000140007D06), ref: 000000014000768A
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?flush@?$basic_ostream@?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@V12@
                                                                  • String ID:
                                                                  • API String ID: 1492985063-0
                                                                  • Opcode ID: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                  • Instruction ID: c8404d0b7dac135a461826d57f818375c200501a51cfbfcecc82e8383ca51cf8
                                                                  • Opcode Fuzzy Hash: 48a82f96b1c6e9b0e595215daea0aa73583c570643872832382f0a47eff30425
                                                                  • Instruction Fuzzy Hash: 11515F72600A4082EB62CF1BE5947A9A7A0F789FE5F15C611EF9E477F1CB7AC5468300
                                                                  Function 00007FFE0132BA68 Relevance: 10.6, APIs: 7, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BB38
                                                                  • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BB48
                                                                  • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BB5D
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BB91
                                                                  • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BB9B
                                                                  • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BBAB
                                                                  • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BBBB
                                                                    • Part of subcall function 00007FFE013725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325AF8), ref: 00007FFE013725C6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$memset$_invalid_parameter_noinfo_noreturnmalloc
                                                                  • String ID:
                                                                  • API String ID: 1468981775-0
                                                                  • Opcode ID: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                  • Instruction ID: de9eaf3bb962e64a8f64c18ebedf88f90be141997c36df3a0b9894abf2d426b9
                                                                  • Opcode Fuzzy Hash: 8d6a24f3bf634d623b6df647f64059c90c5502672a76569a8a726b311e782cf9
                                                                  • Instruction Fuzzy Hash: 3A41A272B08B8191EF24AB66E5442AAA351FB44BD4F554532EF1D0FBAEDE7CD081C341
                                                                  Function 00007FFE013358B0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowsetvbufstd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 2924853686-1866435925
                                                                  • Opcode ID: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                  • Instruction ID: bbc623cbba6f68dcd7263adf4d2de95d40ba8c6f7b2a4712596e4be8c5cd53a2
                                                                  • Opcode Fuzzy Hash: 1f64c6e00743e2b6d18f717fbe02c07a67212b368ea4998e783aa68016d173a4
                                                                  • Instruction Fuzzy Hash: 8F41AD72A14B4696EB54CF24E4403AD33B0FB24F98F564131DA4C4B6A5DF3CE5A5C740
                                                                  Function 00007FFE01332FAC Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentThread$xtime_get
                                                                  • String ID:
                                                                  • API String ID: 1104475336-0
                                                                  • Opcode ID: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                  • Instruction ID: 3c74a26949215928aa9973e2764a9e97b5f8f19deb42e1cdcbc89360ab23cc85
                                                                  • Opcode Fuzzy Hash: b41b3e793df45e27213671b53cb51a1755b037ad1250a9a602788c96421386ed
                                                                  • Instruction Fuzzy Hash: 0841DA32A09A46D6EB64CB15E484279B3A0FB44F55F528036CB8E8A6B1DF3DE885C705
                                                                  Function 00007FFE01343B28 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01343B56
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • _Maklocstr.LIBCPMT ref: 00007FFE01343BCF
                                                                  • _Maklocstr.LIBCPMT ref: 00007FFE01343BE5
                                                                  • _Getvals.LIBCPMT ref: 00007FFE01343C8A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocstr$Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                  • String ID: false$true
                                                                  • API String ID: 2626534690-2658103896
                                                                  • Opcode ID: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                  • Instruction ID: 273c67cd2fbbd626efd848d04623b00873efc22ff84899554fcdf14442a160af
                                                                  • Opcode Fuzzy Hash: c695a158c0b5114809dc70b7d0fbfaf85c4eed1fbf093ad79dd2f17f0fdf62ac
                                                                  • Instruction Fuzzy Hash: 23417D26B08B919AF710CF74E4002ED33B1FB88748B455226EE4D2BA69EF3CD656C344
                                                                  Function 00007FFE1A4FD740 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: NameName::atol
                                                                  • String ID: `template-parameter$void
                                                                  • API String ID: 2130343216-4057429177
                                                                  • Opcode ID: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                  • Instruction ID: 9e62487c8b514b6d46409c5ff21f1f3b5bb52d8aa26322969c3ce809e10bac6c
                                                                  • Opcode Fuzzy Hash: 2821a58495c29764098872c6b010649cccddcb6c42941e500fb92a9452cac6b1
                                                                  • Instruction Fuzzy Hash: AD416C21F08F9588FB00DB6AD9502FC23B1BB08BA9F5460B6DE5D17A64DF7C9419C340
                                                                  Function 00007FFE1A4F8624 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                  • API String ID: 2943138195-2211150622
                                                                  • Opcode ID: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                  • Instruction ID: 464a53fdce1602438863f93aa68390a3efccb25e69791c91d6026327eb8c2b47
                                                                  • Opcode Fuzzy Hash: 16d5b7056506ac1aa3be62c87a897449e0af35361c1a5b370ad614f7e7c3f2e7
                                                                  • Instruction Fuzzy Hash: 4A416772B08F9688FB128B2AE9402FC37A0BB09B58F5491B2DA4C1B764DF7CA454C350
                                                                  Function 00007FFE1A4FA31C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: char $int $long $short $unsigned
                                                                  • API String ID: 2943138195-3894466517
                                                                  • Opcode ID: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                  • Instruction ID: 0f201e139da788cfa3a06ec7d205195eb25e5ab7a647423077cc3c3100e2c78b
                                                                  • Opcode Fuzzy Hash: 1a667bf595c3f0eddcec5e75b1b20bf055c895b242c78c01af1086ecda962d52
                                                                  • Instruction Fuzzy Hash: 5A417832F18E5688EB158F6AE8441FC37B1BB09B65F5490B2DE0C52B68DF3CA554C710
                                                                  Function 00007FFE0132C0A0 Relevance: 9.3, APIs: 6, Instructions: 318stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnmemsetstrcspn$localeconvmemmove
                                                                  • String ID:
                                                                  • API String ID: 3009415009-0
                                                                  • Opcode ID: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                  • Instruction ID: c5438f20737515acff7f30c8e4e602d9f9e1f68993fcde6236245069c12d390d
                                                                  • Opcode Fuzzy Hash: 79913b7f2cf0946d329c90ba2b268b1e17353789fc4b59f1bbc5e2c67373d880
                                                                  • Instruction Fuzzy Hash: E9E16A32B09B8685FB11DBA9D4402AC2371FB59B98F525126DE5D2BBA9DF3CD44AC300
                                                                  Function 00007FFE013500EC Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Dunscale$_errno
                                                                  • String ID:
                                                                  • API String ID: 2900277114-0
                                                                  • Opcode ID: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                  • Instruction ID: 946cd97821c84caacb9d101627d85380fe2bac7e05c63ebba07a6ebee91cf8fe
                                                                  • Opcode Fuzzy Hash: ca9a7425e4338700c7aba562b0c02e094e8ac02fa288402a05e4d39a5ba85423
                                                                  • Instruction Fuzzy Hash: 2CA10732E086469BE718DE26C5802BD7761FF15B88F564230FB0A2A1F6DF3EB0958740
                                                                  Function 00007FFE013586F0 Relevance: 9.2, APIs: 6, Instructions: 235COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Dunscale$_errno
                                                                  • String ID:
                                                                  • API String ID: 2900277114-0
                                                                  • Opcode ID: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                  • Instruction ID: 8eeca04230a9e16dadfe177f24b834dea38e2900c0368ace0de71ea000d03fde
                                                                  • Opcode Fuzzy Hash: d9a476555f6a1f41d58d263dd2005ababac50c55a1706ecba255774e6695b5d8
                                                                  • Instruction Fuzzy Hash: 1DA1E627D18E4A86E711DE3684402BD2766FF56BD4F564371EA4E2E5A5EF3CF0928300
                                                                  Function 000000014000AF60 Relevance: 9.2, APIs: 5, Strings: 1, Instructions: 192COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                                  • String ID: R3DAPI 7.3.1-44A14 (20200513 W64S)
                                                                  • API String ID: 2665656946-1215215629
                                                                  • Opcode ID: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                  • Instruction ID: 1f94f83d43c849715069b53280c3cf1e8531b19b99bc01c412034d7b6d4e24df
                                                                  • Opcode Fuzzy Hash: 98457a8c532842630b98285b89b9ec496e863bcfed3b0f9c1b1bfdd0cf47a7ec
                                                                  • Instruction Fuzzy Hash: B19122B1211A8499EB22DF27F8503DA7361F74ABD4F884222EB490B7B9DB7EC141C701
                                                                  Function 00007FFE01328F20 Relevance: 9.2, APIs: 6, Instructions: 185COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: fgetc
                                                                  • String ID:
                                                                  • API String ID: 2807381905-0
                                                                  • Opcode ID: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                  • Instruction ID: 55807e62025011fffd8096e50c945bde1d87691e37f3aab98a17ac5ca49146bb
                                                                  • Opcode Fuzzy Hash: 4d115736c04dabe9d8380459469711e0ea65801a3abab2b82b9901b7a97ab16c
                                                                  • Instruction Fuzzy Hash: 39914932605A8188EB20DF25D4943AC33A1FB58B9CF565636EA4E4BBA9DF3DD454C301
                                                                  Function 00007FFE0135B960 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                  • String ID:
                                                                  • API String ID: 3490103321-0
                                                                  • Opcode ID: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                  • Instruction ID: e6ad41abbdd02f6918982abc6e8696b2f0726cc5540dc4084d6e975b508b8c6c
                                                                  • Opcode Fuzzy Hash: a30ae13c142e2dcabb77bc798d6d9a85e0f23e3fe7315f8aa89f8282773a3d2d
                                                                  • Instruction Fuzzy Hash: 49610722F1C64286E721DF61E4807BEA721FB85B44F520532EE4E1B7A9DE7CD549C700
                                                                  Function 00007FFE0135B1C0 Relevance: 9.2, APIs: 6, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Xp_setn$Xp_addx$iswspaceiswxdigit
                                                                  • String ID:
                                                                  • API String ID: 3490103321-0
                                                                  • Opcode ID: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                  • Instruction ID: 90fdc51e9c8c95fb769d79c28f8ce00238e61826ca48754a64f70a9d96e241a7
                                                                  • Opcode Fuzzy Hash: a968a163d27d4a2015612df6a25af1ade50538c4fbfbe472cc9928b4ab87bfd3
                                                                  • Instruction Fuzzy Hash: 5561F922B1C64286E711DF56E4817FEA761FF94B44F520132EE4D6B6AADE3CE44A8700
                                                                  Function 00007FFE01329A58 Relevance: 9.1, APIs: 6, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 2016347663-0
                                                                  • Opcode ID: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                  • Instruction ID: b2acd3f24853af84b84caf3e142a7e559be100059cd57dc91e177e9f13c8645a
                                                                  • Opcode Fuzzy Hash: cb8e8a2f44cc62cd32a632b202d835ef3b606d67b9c0b0e5f42087863e469a96
                                                                  • Instruction Fuzzy Hash: C841F471B1875591EF24AB26E4042AAA351EB18FE4F964631DF6D0FBEADE7CE041C301
                                                                  Function 00007FFE0132A000 Relevance: 9.1, APIs: 6, Instructions: 93fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: FileHandle$CloseCreateInformation
                                                                  • String ID:
                                                                  • API String ID: 1240749428-0
                                                                  • Opcode ID: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                  • Instruction ID: 773ad036fa29e3ffb373cb92af7a27158f0c53b996c62361ce37cfc941aa7b44
                                                                  • Opcode Fuzzy Hash: 1068804706c036d4a9ce6b0869c9c46b2702efca279f26c5ccb680fbda452175
                                                                  • Instruction Fuzzy Hash: 5C41AF32F086418BF760CF71A8507AA33A0AB587A8F025735EE5C4BAA4DF3CE5958740
                                                                  Function 00007FFE1A4F62D0 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                                  • String ID:
                                                                  • API String ID: 3741236498-0
                                                                  • Opcode ID: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                  • Instruction ID: 2399298778637001bf4a7ce9c035b6f3aa8dd0502d1c8d7fb1d7a9cd51c3421c
                                                                  • Opcode Fuzzy Hash: 6447550c70440ae48e9dc09acfbe7fa3055870e3a5d625089a78ddc05dba8847
                                                                  • Instruction Fuzzy Hash: 1231C421B19FD180EB159B2BA9045B9B3A4FF09FE5B5555B6DD2D033A0DE3DD452C300
                                                                  Function 00000001400117B8 Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_configthreadlocale_initialize_narrow_environment_initialize_onexit_table_onexit
                                                                  • String ID:
                                                                  • API String ID: 2153537742-0
                                                                  • Opcode ID: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                  • Instruction ID: 534899ad21150968aac174715d7514135b35f9473fc5e80356d1b8ef46292b69
                                                                  • Opcode Fuzzy Hash: f539288d9f1f3d7249b87a9547d02823525d444580e8d32891b0b41e8399b437
                                                                  • Instruction Fuzzy Hash: 95115E38A0024155FA5FB7F398173EC11969FAC3C4F454524BB498F2F3EE7B88658662
                                                                  Function 00007FFE01322F50 Relevance: 9.1, APIs: 6, Instructions: 51COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01325F96), ref: 00007FFE01322F59
                                                                  • calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325F96), ref: 00007FFE01322F6B
                                                                  • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01325F96), ref: 00007FFE01322F7A
                                                                  • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01325F96), ref: 00007FFE01322FE0
                                                                  • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,00000000,00007FFE01325F96), ref: 00007FFE01322FEE
                                                                  • _wcsdup.API-MS-WIN-CRT-STRING-L1-1-0(?,?,00000000,00007FFE01325F96), ref: 00007FFE01323001
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: __pctype_func$___lc_codepage_func___lc_locale_name_func_wcsdupcalloc
                                                                  • String ID:
                                                                  • API String ID: 490008815-0
                                                                  • Opcode ID: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                  • Instruction ID: df463a8394aa59124c18be5c8946c464a103bf621f25258f0912fa112dc5b5e0
                                                                  • Opcode Fuzzy Hash: 488e8b2b7200c0c5cd5a98dbe2f11f7538b0ba4341635e04412eecd9dffd49b4
                                                                  • Instruction Fuzzy Hash: BE213022D18B8583E7159F38D5052783360FBA9B48F16E224CF8C1A222EF3DE5E9C340
                                                                  Function 0000000140007850 Relevance: 9.0, APIs: 6, Instructions: 21fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandle$FileUnmapView
                                                                  • String ID:
                                                                  • API String ID: 260491571-0
                                                                  • Opcode ID: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                  • Instruction ID: e4157fc547da492297a5d265050bc8fab675aa544c6886f43f24823cbbcadd6d
                                                                  • Opcode Fuzzy Hash: c79584006ebb6ab8165207e4d763d1a3cfb8469778cb55540dabe317a807c072
                                                                  • Instruction Fuzzy Hash: 1DF01438616E00D5FA07DB63ECA83A427A1BB8DBD9F440211EB4E4B331DE3F85998300
                                                                  Function 00007FFE1A4E1B3C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 2889003569-2084237596
                                                                  • Opcode ID: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                                  • Instruction ID: b2b6ab9eec7b28b794da61869ddee1fb2de3b9e43f91c762a28a4db1882ed16f
                                                                  • Opcode Fuzzy Hash: b9d59197ed9058caaff3681df3c64902a43601032ad083162a420140406a310d
                                                                  • Instruction Fuzzy Hash: EF918273B08B858AE711CB6AD4402FD77A0FB54B98F1041AAEA4D57765DF3CE1A5CB00
                                                                  Function 00007FFE1A4F38A8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 2889003569-2084237596
                                                                  • Opcode ID: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                  • Instruction ID: 34683cb2c93244d91afc85d748310291b2b0af9f5a3e3f357678ef56b712a247
                                                                  • Opcode Fuzzy Hash: 63425386b35f735f5eb303e83bfbe55818570f32e5447e3767ff35a3eaf3afb3
                                                                  • Instruction Fuzzy Hash: B1918F73B08B818AE750CB6AE4802FD77A0F744B99F1451AAEE8D17765DF38E1A5C700
                                                                  Function 00007FFE1A4FBB70 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                  • API String ID: 2943138195-757766384
                                                                  • Opcode ID: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                  • Instruction ID: 0dc2d77ddb4d7588111f9b991261f2f39bf3aa0772ce3a82ee036a3129ed583a
                                                                  • Opcode Fuzzy Hash: 8ec89114dc1e92fb087ff84a90b975bd849231731579a14e6ae3ff20f009c8f1
                                                                  • Instruction Fuzzy Hash: 1E716D71B0CE8288EB148F2AD9401FC66A5BB06B95F5495FBDA4D07A78DF3CE961C300
                                                                  Function 000000014000ABD0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 150COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memcmp.VCRUNTIME140 ref: 000000014000AD12
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000ADD5
                                                                    • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                    • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func__stdio_common_vfprintf_invalid_parameter_noinfo_noreturnmemcmp
                                                                  • String ID: @$[FAIL INT. ] path '%s' already exists at index %u$[FAIL INT. ] too many paths
                                                                  • API String ID: 3207467095-2931640462
                                                                  • Opcode ID: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                  • Instruction ID: 2da19ac7c4dfbac8c42f28ebd32a6b72bd3b2cb838895640dc67fbc0c8e08b7c
                                                                  • Opcode Fuzzy Hash: 18470ac69061ff4e66931cc73eae5b662a6f84f1ed1e258ceb6863b62889c5ad
                                                                  • Instruction Fuzzy Hash: DC5169B2B10A5489EB11CF6AE8407DD37B1F709BA8F504216EF2A67BE9DB74C581C740
                                                                  Function 00007FFE1A4F3690 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$CallEncodePointerTranslator
                                                                  • String ID: MOC$RCC
                                                                  • API String ID: 2889003569-2084237596
                                                                  • Opcode ID: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                  • Instruction ID: 806800fb25eebf395a7220206494845bb56fdbb4f008a24d1e3ae7cde1f0c4fa
                                                                  • Opcode Fuzzy Hash: bda6881e4fb6ddd96fb50e60b72b5d1eaa618bcc944dda4a5bc0b193bb5b3b27
                                                                  • Instruction Fuzzy Hash: C5613876A08B858AE724CF6AD4803FD77A0FB44B99F1451A6EE5D13B68DF38E065C700
                                                                  Function 00007FFE0135BBD8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0135B212), ref: 00007FFE0135BBFE
                                                                  • iswspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0135B212), ref: 00007FFE0135BC0F
                                                                  • iswxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE0135B212), ref: 00007FFE0135BC76
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: iswspace$iswxdigit
                                                                  • String ID: (
                                                                  • API String ID: 3812816871-3887548279
                                                                  • Opcode ID: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                  • Instruction ID: 94049cf9b3281b09dd83eb9552171b4b1373bfc8d593574b87a70efcfbca8ee4
                                                                  • Opcode Fuzzy Hash: b830cff0c5d28eb9b1a5e66846577f97d039b9518a3845ee8b60060626fc6f3e
                                                                  • Instruction Fuzzy Hash: C4518066D08553C6EF249F6295113F9F2E6EF20F94F4A8031EA894E4B8EF7DE841C211
                                                                  Function 00007FFE01359CD4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01359122), ref: 00007FFE01359CFA
                                                                  • isspace.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01359122), ref: 00007FFE01359D0B
                                                                  • isxdigit.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01359122), ref: 00007FFE01359D64
                                                                  • isalnum.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FFE01359122), ref: 00007FFE01359E14
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: isspace$isalnumisxdigit
                                                                  • String ID: (
                                                                  • API String ID: 3355161242-3887548279
                                                                  • Opcode ID: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                  • Instruction ID: 00a42c90ee41976f89dd6dad226369e3438c42710a52f1ee66478018d5ce9c5d
                                                                  • Opcode Fuzzy Hash: 716b4af6be493bef1a1704f7f2c424fe19b579ad377a576405316da7889311fb
                                                                  • Instruction Fuzzy Hash: F541B617D0C6C2D6EF254F31A9513F56B929F26F88F0AA031CA9C0F5A6DE1EF8069711
                                                                  Function 00007FFE013439E4 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0133A22C), ref: 00007FFE01343A25
                                                                    • Part of subcall function 00007FFE0132B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01351347,?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE0132B7BF
                                                                    • Part of subcall function 00007FFE0132B794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01351347,?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE0132B7DB
                                                                  • _Getvals.LIBCPMT ref: 00007FFE01343A61
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Getvals___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                                  • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                  • API String ID: 3031888307-3573081731
                                                                  • Opcode ID: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                  • Instruction ID: 3930cab29fdd86efc24982924f430dfeddc8f0c25c434359ccf2262f431860a8
                                                                  • Opcode Fuzzy Hash: afe44bbbf315c128d24a0806b0508227c1b26fb6639d53e1a60ace2258aa4d08
                                                                  • Instruction Fuzzy Hash: 3F41CC72E08B919BE724CF26D58056E7BA0FB44B81B064235DB8957E21DF7CF562CB00
                                                                  Function 00007FFE01343CB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE01343CE2
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • _Maklocstr.LIBCPMT ref: 00007FFE01343D5B
                                                                  • _Maklocstr.LIBCPMT ref: 00007FFE01343D71
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                  • String ID: false$true
                                                                  • API String ID: 309754672-2658103896
                                                                  • Opcode ID: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                  • Instruction ID: 85f7f966a36a8d76c5c883ee1dcac27c0f7947b05a9b326c79b142c65a2a7649
                                                                  • Opcode Fuzzy Hash: 338e19288eb98bd8f1b47372f9c1aa56ee45ee7e80caca0ac6520e6642491e8a
                                                                  • Instruction Fuzzy Hash: 35416922B18B559AE710CF71E4402ED33B0FB88B48B414126EE4D2BB69EF3CD595C394
                                                                  Function 00007FFE013283E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 2003779279-1866435925
                                                                  • Opcode ID: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                  • Instruction ID: b1b5f309923cb4d740306b84e6e476ddf071785e72901c544bf87843ff6d9363
                                                                  • Opcode Fuzzy Hash: 8d3ac1472eb59521ab7cb33da99209fe59d652a56c411d01b23e09fa8017a7eb
                                                                  • Instruction Fuzzy Hash: E121DE72A0874692EF24EB24E6413B933A0FF64784F950035EA4D4BAB5DF3CE0A5C301
                                                                  Function 00007FFE01328D10 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrowstd::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                  • API String ID: 2003779279-1866435925
                                                                  • Opcode ID: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                  • Instruction ID: e5a81bf3d5fcb3f0f034b915d571b80ab67d53a378f7c71a797921035c5cdb88
                                                                  • Opcode Fuzzy Hash: 849b74ee5f73fdde2bfa1f1610c189757ac49f4ca831a016d12bb1df7dcfb911
                                                                  • Instruction Fuzzy Hash: 90F0AD71A1860A96EF24EB00D8826F92361FF60744FA54431D20E0E5B5EF3DE14AC742
                                                                  Function 0000000140006B70 Relevance: 7.8, APIs: 5, Instructions: 255COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ?Recycle@MemoryRecycler@allocator@dvacore@@YAXPEAX_K@Z.DVACORE ref: 0000000140006CC6
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 0000000140006CF5
                                                                  • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006D52
                                                                  • memcpy.VCRUNTIME140 ref: 0000000140006DD5
                                                                  • ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ.MSVCP140 ref: 0000000140006E6E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: D@std@@@std@@Pninc@?$basic_streambuf@U?$char_traits@$MemoryRecycle@Recycler@allocator@dvacore@@_invalid_parameter_noinfo_noreturnmemcpy
                                                                  • String ID:
                                                                  • API String ID: 3275830057-0
                                                                  • Opcode ID: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                  • Instruction ID: 3173563bc62d35887f7c9779bdd612006aafe20ffacca945d5b8f48763ffbb63
                                                                  • Opcode Fuzzy Hash: f13f8127416e7d7f80275f329ef49376f0d8f6da619257fe439308a18cea4d8f
                                                                  • Instruction Fuzzy Hash: 5CA16BB2704B8485EB16CF2AE5443A977A2F389FE8F584516EF8D177A4DB38C895C340
                                                                  Function 00007FFE01334A60 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: fgetwc
                                                                  • String ID:
                                                                  • API String ID: 2948136663-0
                                                                  • Opcode ID: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                  • Instruction ID: 974da24d2ebada8d7d449eee344efd096595e95031c6cba1a61236d4f090a4bf
                                                                  • Opcode Fuzzy Hash: ed1427ec7fd184f05f105e4a19992df21d1a2cad319d232875e2ff79a26b5bc3
                                                                  • Instruction Fuzzy Hash: 5D814A72605A81D8EB64CF65C0903AC33A1FB58F88F565636EA4E4BBA9DF3DD454C304
                                                                  Function 0000000140009FD0 Relevance: 7.6, APIs: 5, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memcpy$_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 2665656946-0
                                                                  • Opcode ID: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                  • Instruction ID: 6f8685d0ee64a854513a2710a76b76ebba126a19a16799565d604b2c87d49ee9
                                                                  • Opcode Fuzzy Hash: 314d0bc367498784a6055c5724ef22bc855d96b1200b035c08f9136b1467eef2
                                                                  • Instruction Fuzzy Hash: 884191B2304B8495EE16DB27B9043D9A395A74EBE0F440625BF6D0B7E5DE7CC081C304
                                                                  Function 00007FFE0132B90C Relevance: 7.6, APIs: 5, Instructions: 101COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132B9D3
                                                                  • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132B9E1
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BA1A
                                                                  • memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BA24
                                                                  • memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,00000000,00007FFE01351347), ref: 00007FFE0132BA32
                                                                    • Part of subcall function 00007FFE013725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325AF8), ref: 00007FFE013725C6
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memmovememset$_invalid_parameter_noinfo_noreturnmalloc
                                                                  • String ID:
                                                                  • API String ID: 3042321802-0
                                                                  • Opcode ID: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                  • Instruction ID: e9450e58239064a057c8b40ff9f2a003a5a325e9319b24e6d2f64e1d8b78c040
                                                                  • Opcode Fuzzy Hash: e1e662882264babfe03a29ca6950b8a7f1ee3d95dd1c18b575c3811a2ced279c
                                                                  • Instruction Fuzzy Hash: 5D31B231B08B8681EF14AF16A5043BAA352FB14BD0F594531EF5D0FBAADE7CE0818302
                                                                  Function 00007FFE1A4F9FA4 Relevance: 7.6, APIs: 5, Instructions: 94COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: NameName::$Name::operator+
                                                                  • String ID:
                                                                  • API String ID: 826178784-0
                                                                  • Opcode ID: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                  • Instruction ID: 37217b4ca82fc8d9331ddd5be344145f9b3133532001474becc22a71def7acb6
                                                                  • Opcode Fuzzy Hash: 7682a6ebcb32bf14f43659220100a1b4a5a4a6e3db385e7ce84af32120df353b
                                                                  • Instruction Fuzzy Hash: FD413922B08E5698EB10CF26E9801FC33A4BB55FA5B5450F3EA5D537A5DF38E965C300
                                                                  Function 00007FFE01324C30 Relevance: 7.5, APIs: 6, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE01332160: setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FFE01324C3E,?,?,00000000,00007FFE01325B5B), ref: 00007FFE0133216F
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325B5B), ref: 00007FFE01324C47
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325B5B), ref: 00007FFE01324C5B
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325B5B), ref: 00007FFE01324C6F
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325B5B), ref: 00007FFE01324C83
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325B5B), ref: 00007FFE01324C97
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325B5B), ref: 00007FFE01324CAB
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$setlocale
                                                                  • String ID:
                                                                  • API String ID: 294139027-0
                                                                  • Opcode ID: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                  • Instruction ID: e43bb4e5af6b4106ae9d25502c843310bef69f8c8b29aacae49f143a00e1f6d4
                                                                  • Opcode Fuzzy Hash: af9b31b71ee19020bdfcdf2881afb454c7cf1e65ca09aa02857d537e0dbc91a2
                                                                  • Instruction Fuzzy Hash: 61112922A46B4581FF2EAFA5D0F533923A1EF54F08F1A0134CA0E0E168CF6DE894D391
                                                                  Function 00007FFE01333380 Relevance: 7.5, APIs: 5, Instructions: 17COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func$abortfputcfputs
                                                                  • String ID:
                                                                  • API String ID: 2697642930-0
                                                                  • Opcode ID: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                  • Instruction ID: 98e7339b8382ee56d2c5ac4f52e604280a9e99619b2ab045bb9608211097a79d
                                                                  • Opcode Fuzzy Hash: cc43f010146a263ee9c93af417586094a0b7170059f9927bafddb445a1bda61b
                                                                  • Instruction Fuzzy Hash: BBE0ECA4A08746C6F72C6F61EC1933463279F48B62F250038C90F8A3B4CE2C64884211
                                                                  Function 00007FFE0134C480 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                  • String ID: %.0Lf$0123456789-
                                                                  • API String ID: 4032823789-3094241602
                                                                  • Opcode ID: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                  • Instruction ID: 60c38668410afdae0426b07d5ed357cd295827260db94bac0b432ebc94756ac0
                                                                  • Opcode Fuzzy Hash: fa63dc956d0c7b6bff8e3ee81f661619dd0e36560abcb1dd68b26c2578e8d3d2
                                                                  • Instruction Fuzzy Hash: 1C717D62B09B55CAEB10CFA6D4502AC3371FB48B98F455136DE4D1BBA8DE3CE44AC340
                                                                  Function 00007FFE01356E40 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 176COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnmemchrmemmove
                                                                  • String ID: 0123456789-
                                                                  • API String ID: 2457263114-3850129594
                                                                  • Opcode ID: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                  • Instruction ID: 6b8af2f0c852fc845bf7547e61a1431f7cb5e0213e8615643cc1915fd6308dcb
                                                                  • Opcode Fuzzy Hash: 8c4be3c5c3f65d5f443b50efeabd6800258d3d8700801e0cd99edaa92c67ca0d
                                                                  • Instruction Fuzzy Hash: 47719E62B09B8589FB11CBB5E4502AC7771EB59B98F850035DE4E2BBA9CF3CD45AC300
                                                                  Function 000000014000CA70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CB86
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000CCD1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturn
                                                                  • String ID: gfffffff$gfffffff
                                                                  • API String ID: 3668304517-161084747
                                                                  • Opcode ID: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                  • Instruction ID: 0937b4d6cc115db4af66b3ecbb46b401b0ea56f4de858bbb036e92e46f157e0a
                                                                  • Opcode Fuzzy Hash: 32859df8e06c2c5f4985c7dd554c6d2d37e083af61b95c2e78cf3b3f545f0329
                                                                  • Instruction Fuzzy Hash: D151B5B2311B8942EE25CB17F945799B355E748BE4F048226AFAD8B7E4DF38D081C301
                                                                  Function 00007FFE013570C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_invalid_parameter_noinfo_noreturnswprintf_s
                                                                  • String ID: %.0Lf
                                                                  • API String ID: 1248405305-1402515088
                                                                  • Opcode ID: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                  • Instruction ID: 396955244d3a1a6e8557153f19c57fad09d3cbb1ef443b7795f2461a706706ac
                                                                  • Opcode Fuzzy Hash: b1e8befe6e1bc886ac1d936d3d3b688ef32ab1e9c7f518542a458b120f78afb2
                                                                  • Instruction Fuzzy Hash: 2D61A122B08B8585EB11DBB6E8402ED7771FB59B98F564135EE8D2BB6ADE3CD045C300
                                                                  Function 00007FFE1A4E20B0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE1A4E349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A4E1222), ref: 00007FFE1A4E34DC
                                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E222F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort
                                                                  • String ID: $csm$csm
                                                                  • API String ID: 4206212132-1512788406
                                                                  • Opcode ID: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                                  • Instruction ID: bbe61985bf80bcc9ad6940e99972ca207d82d2d6653cc7d8bb8c6c22151dce89
                                                                  • Opcode Fuzzy Hash: a09d5685cbd6900e1f150081fbd72c345e37c8c45745b80ef19bb6454a475952
                                                                  • Instruction Fuzzy Hash: D671A432B08A828ADB618F26D45077DBBA0FB05FA5F1481B6DE4C57AA5CF3CD5A1C701
                                                                  Function 00007FFE1A4F4044 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE1A4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4F239E), ref: 00007FFE1A4F671E
                                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F41C3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort
                                                                  • String ID: $csm$csm
                                                                  • API String ID: 4206212132-1512788406
                                                                  • Opcode ID: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                  • Instruction ID: 394b19998c4cd9b18c06857df5aa9ad122e38c9e8200c63abdfd6987a525aa45
                                                                  • Opcode Fuzzy Hash: a1e41bd14f4dc8a012b9b6851bae8dba3a2639313cd67671a1d4b299b7556132
                                                                  • Instruction Fuzzy Hash: CD71A336608A8186DB608F1A94447FD7BA0FB45FEAF0491B6DF4C47AA6CF2CD461C741
                                                                  Function 00007FFE1A4F3E1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE1A4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4F239E), ref: 00007FFE1A4F671E
                                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F3F13
                                                                  • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FFE1A4F3F23
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                                  • String ID: csm$csm
                                                                  • API String ID: 4108983575-3733052814
                                                                  • Opcode ID: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                  • Instruction ID: 28d21353d557c091a8e5c0382c7c442686e72135473f573c01617126d589236f
                                                                  • Opcode Fuzzy Hash: 723d316c6bb1492db26d318ced58129fbbb71e04f86aecbd325fb3d3c805e488
                                                                  • Instruction Fuzzy Hash: 2F514232A08A4286EB648B1B94442B876A0FB54FA6F1461F7DB9D47BE5CF3CF560C701
                                                                  Function 00007FFE01322500 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 112COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Exception$RaiseThrowabort
                                                                  • String ID: csm
                                                                  • API String ID: 3758033050-1018135373
                                                                  • Opcode ID: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                  • Instruction ID: db4cc9a8a5f5e9e906d6549517d8349b43eb96c7d48cda581bcd10d81c9dacfe
                                                                  • Opcode Fuzzy Hash: 41d3011ef526da4fb6bf1b269c872e6bf0f3703c205a1fec46793368d0a6d4a5
                                                                  • Instruction Fuzzy Hash: CA515C33904BC586EB25DF28C8502A833A0FB68B98F169325DA5D1B7A6DF3DE5D5C300
                                                                  Function 00007FFE0132F950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0132F8D4
                                                                  • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0132F8E6
                                                                  • setlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FFE0132F96B
                                                                    • Part of subcall function 00007FFE01324D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D72
                                                                    • Part of subcall function 00007FFE01324D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D98
                                                                    • Part of subcall function 00007FFE01324D50: memmove.VCRUNTIME140(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324DB0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: setlocale$freemallocmemmove
                                                                  • String ID: bad locale name
                                                                  • API String ID: 4085402405-1405518554
                                                                  • Opcode ID: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                  • Instruction ID: 792b2a5ce9e9b3a0f34e827d5e22bf3f03f4f930614cde694a92c036f37aeea3
                                                                  • Opcode Fuzzy Hash: 3089d947b349021dcfde64b703aff5a4e4dbb642b6d91910f5acbb906797f4a3
                                                                  • Instruction Fuzzy Hash: 15312932F0878241FB24EB16E40017AA6B5AF54BC0F5A8035DA5D4F7B5DE7CE4818341
                                                                  Function 00007FFE013438A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,00000000,?,00000001,00007FFE0133A07C), ref: 00007FFE013438E1
                                                                    • Part of subcall function 00007FFE0132B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01351347,?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE0132B7BF
                                                                    • Part of subcall function 00007FFE0132B794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01351347,?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE0132B7DB
                                                                    • Part of subcall function 00007FFE013367B0: _Maklocstr.LIBCPMT ref: 00007FFE013367E0
                                                                    • Part of subcall function 00007FFE013367B0: _Maklocstr.LIBCPMT ref: 00007FFE013367FF
                                                                    • Part of subcall function 00007FFE013367B0: _Maklocstr.LIBCPMT ref: 00007FFE0133681E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Maklocstr$___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                                  • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                  • API String ID: 2504686060-3573081731
                                                                  • Opcode ID: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                  • Instruction ID: e5526f21fffdafb618add28bccc7724eb620e3df7ec1c9c7b41f8d580b5c8772
                                                                  • Opcode Fuzzy Hash: 5fb98ecc23b1440d1e6e1dedbf84344ef495620835dca63dbf83dea626920800
                                                                  • Instruction Fuzzy Hash: A8410272A08B919BE724CF21D18066EBBA1FB84791B064235DB8D47E21DF7CF562CB00
                                                                  Function 00007FFE0135430C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,0000003F,?,00000001,00007FFE01352278), ref: 00007FFE0135434D
                                                                    • Part of subcall function 00007FFE0132B794: calloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01351347,?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE0132B7BF
                                                                    • Part of subcall function 00007FFE0132B794: memmove.VCRUNTIME140(?,?,00000000,00007FFE01351347,?,?,?,?,?,?,?,?,?,00007FFE0135243E), ref: 00007FFE0132B7DB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funccalloclocaleconvmemmove
                                                                  • String ID: $+xv$$+xv$+v$x+v$xv$+xv+$xv$+x+$vx+$vx$v+x+$vx$+vx+v $+v $v $+v +$v $++$ v+$ v$ v++$ v$+ v+xv$+ v$v$ +v+ $v$ ++x$v+ $v$v ++ $v$ +v
                                                                  • API String ID: 462457024-3573081731
                                                                  • Opcode ID: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                  • Instruction ID: 8d3673991d6cced476f17684f2330ecf582bda70d4e43d7470cd221deae74fb7
                                                                  • Opcode Fuzzy Hash: 2566776ce46715a1dcd3a2bb79e4a760c3df9f1c89cfc7252a8fa556c06b05a3
                                                                  • Instruction Fuzzy Hash: 3741A272A08B8197E724CF25D58066D7BA0FB44B81B064235DB4957E21EF3CF5B1CB00
                                                                  Function 00007FFE1A4FA714 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: NameName::
                                                                  • String ID: %lf
                                                                  • API String ID: 1333004437-2891890143
                                                                  • Opcode ID: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                  • Instruction ID: 8e2300a55683ed272c055ce9e876ae68fa398115fc118102fe17fa9e8936dfc4
                                                                  • Opcode Fuzzy Hash: f37b8968dc856f8c22d72c120ca4476383f363961e161f929d9d255907aecf6d
                                                                  • Instruction Fuzzy Hash: 3131A022B0CE8185EA20CB2AA8502BE73A0FB85F95F5491F3EA9E47665CF3CD5118740
                                                                  Function 00007FFE0132A4C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: FileFindNext$wcscpy_s
                                                                  • String ID: .
                                                                  • API String ID: 544952861-248832578
                                                                  • Opcode ID: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                  • Instruction ID: 5a59d09893b46d765685d9dfd97178f19c411a6f49916345ae499c5114722dc6
                                                                  • Opcode Fuzzy Hash: 45e9ef7686e1186a7aee778403a8dd31be2fd3c48eb990b4e7a9f872669560ec
                                                                  • Instruction Fuzzy Hash: F8216372A0C78186FB70AF25E8443BA73A0EB58B94F554131EACD4BAA4DF7CD4858B41
                                                                  Function 00007FFE01326C00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow$std::ios_base::failure::failure
                                                                  • String ID: ios_base::badbit set
                                                                  • API String ID: 1099746521-3882152299
                                                                  • Opcode ID: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                  • Instruction ID: 563e9b46c17344731dc2220f30cd5ccf89ee36ef5067d70003209c8b6c2c39c9
                                                                  • Opcode Fuzzy Hash: b18094d71eb5fa0dd49bb41d4a20651cb5020cf0babcbd14d2a38fb164982f78
                                                                  • Instruction Fuzzy Hash: AC01DBB1E2D61791FF28F725D8425BD1212EFB0744F258135D90E0F9B5DE3DE5068241
                                                                  Function 00007FFE1A4E1268 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE1A4E349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A4E1222), ref: 00007FFE1A4E34DC
                                                                  • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E12A6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abortterminate
                                                                  • String ID: MOC$RCC$csm
                                                                  • API String ID: 661698970-2671469338
                                                                  • Opcode ID: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                                  • Instruction ID: ea2a90e03b60fe58ebd9cad06694d07d09d01719d26c8e2251cf3d794801784c
                                                                  • Opcode Fuzzy Hash: 603a5f7e1ffd35de89984d0ad558701558f89ae88de5ad9bc6a09e4dc68ebe23
                                                                  • Instruction Fuzzy Hash: AAF04F36A18A4782E751AB66E5851BC36A4EF48F64F1951F2D74846262CF3CE8B0CB01
                                                                  Function 00007FFE1A4F2400 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE1A4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4F239E), ref: 00007FFE1A4F671E
                                                                  • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4F243E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abortterminate
                                                                  • String ID: MOC$RCC$csm
                                                                  • API String ID: 661698970-2671469338
                                                                  • Opcode ID: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                  • Instruction ID: 44569b52ea9b8adb3ad301478acc9cc11ffaba02817bc8a8bcef15db2356ef8e
                                                                  • Opcode Fuzzy Hash: b838753ef247b2fc749e3877e0128dea9035de62b0ba29f15289213c97603889
                                                                  • Instruction Fuzzy Hash: 7AF04435A18A4681D7505F6AE1410BD76A5FB48F65F1560F3DB5807271CF7CE4B0CA41
                                                                  Function 00007FFE1A4FE9E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __C_specific_handler.LIBVCRUNTIME ref: 00007FFE1A4FE9F0
                                                                    • Part of subcall function 00007FFE1A4FEC30: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FFE1A4FECF0
                                                                    • Part of subcall function 00007FFE1A4FEC30: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FFE1A4FE9F5), ref: 00007FFE1A4FED3F
                                                                    • Part of subcall function 00007FFE1A4F6710: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE1A4F239E), ref: 00007FFE1A4F671E
                                                                  • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4FEA1A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: C_specific_handlerCurrentImageNonwritableUnwindabortterminate
                                                                  • String ID: csm$f
                                                                  • API String ID: 2451123448-629598281
                                                                  • Opcode ID: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                  • Instruction ID: 1c586304f79faef4cea430223376738cc8b9488394c83c5b4f2398b0998566c3
                                                                  • Opcode Fuzzy Hash: c9fb23446a5b638453e0304dd207887769bfaeb8010eb75ee95ffcfd07f137de
                                                                  • Instruction Fuzzy Hash: B2E0A061F18A8281E7306B66A1821BC66A1FF15F62F14A0F7DA4806266CE38E4B08601
                                                                  Function 00007FFE1A4F9CC0 Relevance: 6.2, APIs: 4, Instructions: 193COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID:
                                                                  • API String ID: 2943138195-0
                                                                  • Opcode ID: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                  • Instruction ID: a68a43f89fa648575cccad36cd4d26b7da2d77ae10d2a22c7259e59dc36ae87c
                                                                  • Opcode Fuzzy Hash: f50f9f5b0f4c072e52125a456639a7d4e2bd829a5a5137cb56b4f6bb80237050
                                                                  • Instruction Fuzzy Hash: 34919E26F08E5288F7118B6AD8403FC37A0BB01B25F6490F7DA4D576A6DF7CA855C350
                                                                  Function 00007FFE1A4FA44C Relevance: 6.1, APIs: 4, Instructions: 134COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+$NameName::
                                                                  • String ID:
                                                                  • API String ID: 168861036-0
                                                                  • Opcode ID: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                  • Instruction ID: 1b4aba3d77dd094dfd1bf00bb1e7e72f493f35e8dbc4391039e7dbd5edb3c51c
                                                                  • Opcode Fuzzy Hash: fdc850366a52cc8509fdc883a27d076c67a20e363f2b2ed3a2a440fa302089d7
                                                                  • Instruction Fuzzy Hash: 09517972B18A5688FB10CF2AE9403BC37A0BB45B69F54A0B2DA0D47BA5DF79E455C340
                                                                  Function 0000000140001ED0 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memset$_invalid_parameter_noinfo_noreturnmemcpy
                                                                  • String ID:
                                                                  • API String ID: 3533975685-0
                                                                  • Opcode ID: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                  • Instruction ID: 948ad675966271c9991ceaad39470193d7d81f5c1b48440d7dc352eab6ab828f
                                                                  • Opcode Fuzzy Hash: f0acfebeec57c01816e898725c36c4e30a40acc5555a2c14dbc06bee451d9b77
                                                                  • Instruction Fuzzy Hash: B431B4B2711A9451EA06DF66F5443EDA291A788BE0F548635AF6C077E5EF38C4E2C300
                                                                  Function 00007FFE01336DC8 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE013367E5), ref: 00007FFE01336EA1
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE013367E5), ref: 00007FFE01336EF2
                                                                  • memmove.VCRUNTIME140(?,?,?,7FFFFFFFFFFFFFFE,?,?,?,?,?,?,00000000,00000000,?,00000000,00000048,00007FFE013367E5), ref: 00007FFE01336EFC
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE01336F3D
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 2016347663-0
                                                                  • Opcode ID: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                  • Instruction ID: 66ec027cd49c87b0a1ead9ed45a0f8533c196807e00347bb6b8b2bee89372f63
                                                                  • Opcode Fuzzy Hash: 85f92700b56973fac5dddd040f82a906fa3d37636fa8e3a1a22e046d738f97e4
                                                                  • Instruction Fuzzy Hash: 354113A2B08646A9EF14DB12E20517A6355EB48FE4F560631EE6D0FBE4EE3CE149C314
                                                                  Function 00007FFE01329BE8 Relevance: 6.1, APIs: 4, Instructions: 107COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 2016347663-0
                                                                  • Opcode ID: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                  • Instruction ID: 93120f52af12faa5ad2707594b8588f31f4cedfe3181c9b43b2648bba01f5d00
                                                                  • Opcode Fuzzy Hash: 65def131db07ebb671ced289ad75ed43dc53c7929ef83caf72930572c550efab
                                                                  • Instruction Fuzzy Hash: 5831DF71B0876681EF14AB16A54426AA295AF14BE8F568231DE6D0FBF5DE7CE0818301
                                                                  Function 00007FFE0134FD50 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Xp_movx$Xp_setw_errnoldexpmemmove
                                                                  • String ID:
                                                                  • API String ID: 2295688418-0
                                                                  • Opcode ID: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                  • Instruction ID: fb975c24a35f5ee9572ec6280bf7b721ecc1a316cd40ead25ffaa922e4a210b8
                                                                  • Opcode Fuzzy Hash: 1ff152472e2a6c573ab22b20db3e38fcc343a5cc5c017478c776d377500589fd
                                                                  • Instruction Fuzzy Hash: 8A410C22A0CA4687F3619B2990412BA6364FF89B41F5A4631EE8D1B3B6DF3DF5458B00
                                                                  Function 00007FFE01323160 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcislower
                                                                  • String ID:
                                                                  • API String ID: 2234106055-0
                                                                  • Opcode ID: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                  • Instruction ID: 8449dd955f29215b161ab561085c2d38dbb1acb409419dd018e1bbb99ad36aa4
                                                                  • Opcode Fuzzy Hash: 49391ab6287bfb1c133544008d3ff4748e0f156886d13d026989aa47a4cfeebd
                                                                  • Instruction Fuzzy Hash: 4D31EC32A0C74182F7256B16E45437D6AB1FBA8B91F2A4035DE8E0B7A9DE3CF445C711
                                                                  Function 00007FFE01323020 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ___lc_codepage_func___lc_locale_name_func__pctype_funcisupper
                                                                  • String ID:
                                                                  • API String ID: 3857474680-0
                                                                  • Opcode ID: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                  • Instruction ID: 92cc3f941b3cd4f4e9cfe8bd44ef5e44cb9346f15bddf88ec888a34fe887e426
                                                                  • Opcode Fuzzy Hash: a38db0811340887b8b5530aa5a0d97aa9f0069b43224d29c853334689370c1d1
                                                                  • Instruction Fuzzy Hash: 00313C32E0C74182F7155B15A45437D66A1FBA8B91F1A8035DE8F0F7A9DE3CE885CB22
                                                                  Function 00007FFE1A4FC87C Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID:
                                                                  • API String ID: 2943138195-0
                                                                  • Opcode ID: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                  • Instruction ID: 3c812f56c034ba45ad7a033cb6f0e223d33c682b3cc1992dba553e1c99551062
                                                                  • Opcode Fuzzy Hash: 010c9cc7b649f2daabbc83b7255f351f4a32df461fe661a6f710ba75eaae01a6
                                                                  • Instruction Fuzzy Hash: A6416472A08B8589FB01CF6AE8413FC37A0FB44B69F5490A6DA8D57769DF7C9451C310
                                                                  Function 00007FFE0135AF70 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,00000000,?,?,?,00007FFE0134E921), ref: 00007FFE0135AFB7
                                                                  • memmove.VCRUNTIME140(?,00000000,?,?,?,00007FFE0134E921), ref: 00007FFE0135AFDB
                                                                  • malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0134E921), ref: 00007FFE0135AFE8
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,?,?,00007FFE0134E921), ref: 00007FFE0135B05B
                                                                    • Part of subcall function 00007FFE01322E30: wcsnlen.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE01322E5A
                                                                    • Part of subcall function 00007FFE01322E30: LCMapStringEx.KERNEL32 ref: 00007FFE01322E9E
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: String___lc_locale_name_funcfreemallocmemmovewcsnlen
                                                                  • String ID:
                                                                  • API String ID: 1076354707-0
                                                                  • Opcode ID: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                  • Instruction ID: 5bc1c6b5c2bf3dcab0b4b7d0d11cedb6ee07fbaaaf078e20d49d1a6b124da2e8
                                                                  • Opcode Fuzzy Hash: 99efea7dbd1116518199412829dbec7523ad640586a417166189b82ef7474ba8
                                                                  • Instruction Fuzzy Hash: E121F661B08BD285EB209F12A80067AAA94FB45FE4F594235DE6D1BBF8DF3CD4428300
                                                                  Function 00007FFE0132ABB4 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _wfsopen$fclosefseek
                                                                  • String ID:
                                                                  • API String ID: 1261181034-0
                                                                  • Opcode ID: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                  • Instruction ID: a968ee2f9acab331af06a04c5898a0e0c80ca6c9348a557dd5a872d527ec4853
                                                                  • Opcode Fuzzy Hash: 65157f6aaa3c65f973982b065b247de6758d3b07ca583f350756c2c4b6984900
                                                                  • Instruction Fuzzy Hash: 9431C131B1975583FF69DB16A48467A7291EFA4F84F4A4134CE0E8BBA4DE3CE8418740
                                                                  Function 00007FFE0132AAA0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _fsopen$fclosefseek
                                                                  • String ID:
                                                                  • API String ID: 410343947-0
                                                                  • Opcode ID: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                  • Instruction ID: 3ebdc848191b38dba7e88084e3eb644801e11d47cba77bfe33c94e532fa89873
                                                                  • Opcode Fuzzy Hash: 4df16a4f6c63ea2db741babe0929eaadb8ea0385d608e1fd76dd175521e20e9d
                                                                  • Instruction Fuzzy Hash: D831D531B2874582FB689B16A4556757792EF94F85F4A4934CE0E8BBB0DE3CE941C700
                                                                  Function 0000000140010660 Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast_invalid_parameter_noinfo_noreturn$FormatFreeLibraryMessage
                                                                  • String ID:
                                                                  • API String ID: 4174221723-0
                                                                  • Opcode ID: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                  • Instruction ID: 329cc6dd5267e1a20a6fc7da630ad77381380cdf8f0f417e816be49fa379c834
                                                                  • Opcode Fuzzy Hash: 637bee9128a08deb273023f1cf6dd0b875d60af285b14277b8822e8af08c01c9
                                                                  • Instruction Fuzzy Hash: F4315072A18B8441EB128B26E4453AE6751E79DBF4F249301F7FD0B6F9DBB9D5C08600
                                                                  Function 00007FFE0135A5D0 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0135576B), ref: 00007FFE0135A604
                                                                  • ___lc_collate_cp_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,00007FFE0135576B), ref: 00007FFE0135A60E
                                                                    • Part of subcall function 00007FFE013226E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE01322728
                                                                    • Part of subcall function 00007FFE013226E0: __strncnt.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FFE0132274E
                                                                    • Part of subcall function 00007FFE013226E0: GetCPInfo.KERNEL32 ref: 00007FFE01322792
                                                                  • memcmp.VCRUNTIME140(?,?,?,?,?,?,?,00007FFE0135576B), ref: 00007FFE0135A631
                                                                  • _errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00007FFE0135576B), ref: 00007FFE0135A66F
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: __strncnt$Info___lc_collate_cp_func___lc_locale_name_func_errnomemcmp
                                                                  • String ID:
                                                                  • API String ID: 3421985146-0
                                                                  • Opcode ID: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                  • Instruction ID: 9641184732786f4b6d150baaa04532419eace033c6a2628be43638c12d686be1
                                                                  • Opcode Fuzzy Hash: 67ebdb8d2028b82e9ed58ed5a744d3daccf2b1b22702c2d8a250d3317050ddda
                                                                  • Instruction Fuzzy Hash: 72218132B0878286EB248F26D540129B7E5FBD4FE4B564235DE5D5B7A4CF3CE8019700
                                                                  Function 000000014000FAA0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 60COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                    • Part of subcall function 000000014000BC30: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BC8F
                                                                    • Part of subcall function 000000014000BC30: __stdio_common_vfprintf.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000000,000000014000B330), ref: 000000014000BCAE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: __acrt_iob_func__stdio_common_vfprintfmemset
                                                                  • String ID: [FINALIZE ] %08X %s$[UNLOAD LIB]$[UNLOAD LIB] %08X %s
                                                                  • API String ID: 1351999747-1487749591
                                                                  • Opcode ID: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                  • Instruction ID: 71482a23b425682d2a021b79c21f529c824127a60a25d7ce3ea3483a94a8a675
                                                                  • Opcode Fuzzy Hash: 011c263d19f9140a1604c488a99ec7640e8ed72f06c54b6a755ed96897cc34c0
                                                                  • Instruction Fuzzy Hash: 42213972215B8485E352DF22E5503DE37A4F74CF88F588129EB890BB69CF39C662D750
                                                                  Function 00007FFE0135B090 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                  • ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                  • ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                  • __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_func
                                                                  • String ID:
                                                                  • API String ID: 3203701943-0
                                                                  • Opcode ID: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                  • Instruction ID: e80aa54a0c6f972b92af9c5a88f99e7d730eb3de78c0d3924544201bcb058cb3
                                                                  • Opcode Fuzzy Hash: ef19d35023d8e628eed813c77d0447fb231f9ae334597f1a57a176e318bf1fbd
                                                                  • Instruction Fuzzy Hash: BD01C4A2E15B9586EB598F7AD804168B7A0FB58F88B159235DA4E8B724DB3CD1C28700
                                                                  Function 00007FFE01358620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: memmove$FormatFreeLocalMessage
                                                                  • String ID: unknown error
                                                                  • API String ID: 725469203-3078798498
                                                                  • Opcode ID: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                  • Instruction ID: 3d302ca97644df8148d79ba14e19aa6b3a8c550076166815bd14b81c406df614
                                                                  • Opcode Fuzzy Hash: 37ba838826cd70d9d591dcbc435c2a3c18e79b33b76249e781432721d4dcd293
                                                                  • Instruction Fuzzy Hash: EC115E2260878586E7219B25E14136DB7A0FB49FD8F498174EB8D0F7AACF7CD5508744
                                                                  Function 00007FFE01322468 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: malloc
                                                                  • String ID: MOC$RCC$csm
                                                                  • API String ID: 2803490479-2671469338
                                                                  • Opcode ID: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                  • Instruction ID: 00febb873ac2951ad6b6bd66bd6da2199d20445489d5bca8952aec54a36c2dea
                                                                  • Opcode Fuzzy Hash: e15f6a6168a41ae6d63f11c971b02e69181d3bca20467f3ec0c288ca60c2c75b
                                                                  • Instruction Fuzzy Hash: 4801A731E0820286FF74AF15994417E33B1EF68B84F1A4031DA0D1F7A5CE2CE881C643
                                                                  Function 00007FFE0134C9A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnmemmove
                                                                  • String ID: 0123456789-
                                                                  • API String ID: 4032823789-3850129594
                                                                  • Opcode ID: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                  • Instruction ID: 27f18ebe600d886ec4119e8b350aad815511e3e1339f6240350cae4a242111e0
                                                                  • Opcode Fuzzy Hash: 087b80219a7abc084ea80889b2ea5c4dce6a7d36c716b4555a794046ca4908f1
                                                                  • Instruction Fuzzy Hash: BA718E62B09B558AFB10CFA5E4502AC3371FB48B98F465136DE4D1BBA8DE3CE44AC344
                                                                  Function 00007FFE0134CC30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                  • String ID: %.0Lf
                                                                  • API String ID: 296878162-1402515088
                                                                  • Opcode ID: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                  • Instruction ID: d5e26746e4ecb32c8dbb928e8b8ccec25ecdde3c7f38de1d1089efdbf160852f
                                                                  • Opcode Fuzzy Hash: 5a4d563a18775b69986e137ad3adbc7dd30679c36a0b1d805a8bd9c508e10a71
                                                                  • Instruction Fuzzy Hash: 5A719122B09B8586EB11CB66E4402AD7371FF85B98F125136EE8D2BB69DF3CE045C344
                                                                  Function 00007FFE0134C710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 170COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnswprintf_s
                                                                  • String ID: %.0Lf
                                                                  • API String ID: 296878162-1402515088
                                                                  • Opcode ID: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                  • Instruction ID: b69f349c38dc52e356d1ccc3e8bf601b4f7b7ccac846e267175ecc6207873692
                                                                  • Opcode Fuzzy Hash: ee1491a657aa9157b33aeeee70a7cdfd851f52d190288e523924d1584d869f09
                                                                  • Instruction Fuzzy Hash: 63717F26B09B8586EB11CB65E8402AD77B1EF94B98F115136EE4D2BB79DF3CE045C340
                                                                  Function 00007FFE01358F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: rand_s
                                                                  • String ID: invalid random_device value
                                                                  • API String ID: 863162693-3926945683
                                                                  • Opcode ID: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                  • Instruction ID: 19b0009abad71e16e2c4549b905ac9440ffe7f3d1f4c74532c78ce8da1614774
                                                                  • Opcode Fuzzy Hash: 1f0bf483c807b0933479a94a212f7c0e0c81eea9436f44e2959e188e7e1d09d4
                                                                  • Instruction Fuzzy Hash: F951E122D18B86C5F3529B3884513BA6364BF15BC8F064B32E65E2F5B5DF2DB0968340
                                                                  Function 00007FFE1A4E2590 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00007FFE1A4E349C: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,00007FFE1A4E1222), ref: 00007FFE1A4E34DC
                                                                  • _CreateFrameInfo.LIBVCRUNTIME ref: 00007FFE1A4E2666
                                                                  • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FFE1A4E26C4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$CreateFrameInfo
                                                                  • String ID: csm
                                                                  • API String ID: 2697087660-1018135373
                                                                  • Opcode ID: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                                  • Instruction ID: 8b41ece2df0617bedcf4f853ae58a258773575bc4017f769a87a4366e6c81366
                                                                  • Opcode Fuzzy Hash: 6e99a40f12b24c169b8c8d77f5cbd6e99d42a79d20cf72913f8a52ee3316c6bc
                                                                  • Instruction Fuzzy Hash: F9514D72718B4286D621EB16E04067E77A4FB88FA4F1015B6EB8D07B66CF3CE461CB00
                                                                  Function 00007FFE1A4F4710 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: abort$CreateFrameInfo
                                                                  • String ID: csm
                                                                  • API String ID: 2697087660-1018135373
                                                                  • Opcode ID: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                  • Instruction ID: efd6e39b1b1419cce71cbc8948c30ff25c818934f06b5a798daf493c5d2440a4
                                                                  • Opcode Fuzzy Hash: f6943bea1c78c8542bb5a279c29cdd6a6ec40214996e776607272464948ef889
                                                                  • Instruction Fuzzy Hash: D0514036718B8186D6209B2AE0402BE77E5F788FA1F1415B6DB8D07B66CF3CE461CB00
                                                                  Function 00007FFE01357330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Strftime_invalid_parameter_noinfo_noreturn
                                                                  • String ID: !%x
                                                                  • API String ID: 1195835417-1893981228
                                                                  • Opcode ID: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                  • Instruction ID: 0f82b51dcab987247f6453c57d635d66afd5471bd07a9a35d757b8e1ed26fd05
                                                                  • Opcode Fuzzy Hash: 6903184f3a269f3019ac34e3e92db72ab81aa2a9284a6f7e405e64e2c6ea4191
                                                                  • Instruction Fuzzy Hash: A1418A62F18B9189FB10CBA5D8417EC3B31BB48B98F854531EE4D2BBA9DF3C91858340
                                                                  Function 00007FFE013232D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00007FFE01323305
                                                                    • Part of subcall function 00007FFE013725AC: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01325AF8), ref: 00007FFE013725C6
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FFE013257FA,?,?,?,00007FFE01324438), ref: 00007FFE013232FE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
                                                                  • String ID: ios_base::failbit set
                                                                  • API String ID: 1934640635-3924258884
                                                                  • Opcode ID: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                  • Instruction ID: 723db83ed2983b9b6435f4317b190c19fb72ec227c7a43d5924585872bc57ac8
                                                                  • Opcode Fuzzy Hash: a7105f9537d0b8ee9470ba42bbca5faa58e0001fe82cb241ae85c6af635f2652
                                                                  • Instruction Fuzzy Hash: C421B432B09B8185DB60DB11E4402AAB3A4FB5CBE0F554631EFAC4BBA9EF3CD5458701
                                                                  Function 00007FFE1A4F9BAC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: Name::operator+
                                                                  • String ID: void$void
                                                                  • API String ID: 2943138195-3746155364
                                                                  • Opcode ID: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                  • Instruction ID: 4e2b3b3fecdb6984ccb3c6d17afc73637671492c551a62175b3e9a284e700b9f
                                                                  • Opcode Fuzzy Hash: ff67bb32e799e4a453516f5f2b265aba841f0c9d9f12838b8a28f15594d75a10
                                                                  • Instruction Fuzzy Hash: CB315966F18E9588FB00CBAAE8410FC37B0BB48B58B4055B7EE4D53B69DF389154C750
                                                                  Function 000000014000E370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 000000014000FAA0: memset.VCRUNTIME140(?,?,00000000,000000014000C5B8,?,?,?,000000014000AF1A,?,?,?,?,000000014000B356), ref: 000000014000FB78
                                                                  • _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000000014000E441
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: _invalid_parameter_noinfo_noreturnmemset
                                                                  • String ID: [FAIL LOAD ] %s$[LOAD LIB ] %s
                                                                  • API String ID: 1654775311-1428855073
                                                                  • Opcode ID: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                  • Instruction ID: e1e0474e3a99f30cd742c56738cdfbd4506b2c38850e860c1e011aff6007d584
                                                                  • Opcode Fuzzy Hash: 100702db65f066f6dc0c5a5468a2d2b73a7eb3417bf6cf788e71504e7ac0ce2e
                                                                  • Instruction Fuzzy Hash: EC218EB2714B8481FA16CB1AF44439A6362E78DBE4F544321BBA94BAF9DF38C181C740
                                                                  Function 00007FFE0132F1B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 57COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00007FFE0132C744), ref: 00007FFE0132F1D4
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B0
                                                                    • Part of subcall function 00007FFE0135B090: ___mb_cur_max_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0B8
                                                                    • Part of subcall function 00007FFE0135B090: ___lc_locale_name_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0C1
                                                                    • Part of subcall function 00007FFE0135B090: __pctype_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,00007FFE01326093), ref: 00007FFE0135B0DD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ___lc_codepage_func___lc_locale_name_func___mb_cur_max_func__pctype_funclocaleconv
                                                                  • String ID: false$true
                                                                  • API String ID: 2502581279-2658103896
                                                                  • Opcode ID: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                  • Instruction ID: b3ab4fe5aad6346d27893b5faa3c4c19ae580a5105145557aab43331049a51fd
                                                                  • Opcode Fuzzy Hash: 059b9e7dcc9bf5a9b2d162324d428766691881fb9c7eb73767e2217b061ef50a
                                                                  • Instruction Fuzzy Hash: A1218336508F8581E720DF25E4403AA77B0FBA8BA8F5A4532DA8C0B369DF3CD155C780
                                                                  Function 00007FFE1A4F604F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: FileHeader$ExceptionRaise
                                                                  • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                                  • API String ID: 3685223789-3176238549
                                                                  • Opcode ID: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                  • Instruction ID: 587b5c8cd8e25392cd936e5d525f904cc12b1c1e51a45016345868209bb77a49
                                                                  • Opcode Fuzzy Hash: d06b4d24d7aa4607bffac334420f89fbd77c373aef9fdd9199db5b082a62258c
                                                                  • Instruction Fuzzy Hash: 32017561B2DE8691EE40DB2AD5501B8A320FF50FA5F4064F3E54E07679DF6CD514C701
                                                                  Function 00007FFE1A4E31C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                                  • Instruction ID: 8d80b998d1f0de12515aa703c14e99ada9fd00b97cc33aa65aa08b57c0ef27af
                                                                  • Opcode Fuzzy Hash: 9f7a33d673fc978609ae4b898b368f5314f81222cced0233053e09beae7f99e8
                                                                  • Instruction Fuzzy Hash: 54112B32608B4582EB118B16F440269B7A1FB88F94F5842B1EEDD07765DF3DD565CB40
                                                                  Function 00007FFE1A4F63F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFileHeaderRaise
                                                                  • String ID: csm
                                                                  • API String ID: 2573137834-1018135373
                                                                  • Opcode ID: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                  • Instruction ID: b8815ea906f16274d419cae37922dc631481c39b4e9115ee72fbdd72584179b3
                                                                  • Opcode Fuzzy Hash: 04e89f2c23f7d49b97199698fdfbf86ccf7878464e1c577e170b006b6ea557c8
                                                                  • Instruction Fuzzy Hash: 31114232618F8182EB518F26F540269B7A5FB88F94F6851B1DE8D07768EF3CD551C700
                                                                  Function 00007FFE01326A30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _W_Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE01326A3D
                                                                    • Part of subcall function 00007FFE01324DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324DF9
                                                                    • Part of subcall function 00007FFE01324DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324E28
                                                                    • Part of subcall function 00007FFE01324DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324E3F
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE01326A5A
                                                                  Strings
                                                                  • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece, xrefs: 00007FFE01326A65
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$Getmonthsmallocmemmove
                                                                  • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:Dece
                                                                  • API String ID: 794196016-2030377133
                                                                  • Opcode ID: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                  • Instruction ID: 7b0de77346f00fa6d5b10b0eb16737e9100085253c5937c0b0f7b846073c1f34
                                                                  • Opcode Fuzzy Hash: 35463bc8c93a613b80807f21b191e9f09555c78c8fc656c1ad6d6a19475fa1ef
                                                                  • Instruction Fuzzy Hash: 6CE0ED22A15B4292EF549B12F58536963A0FF58B94F855034DA0E0BB65EF7CE4B4C700
                                                                  Function 00007FFE013269E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _W_Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013269ED
                                                                    • Part of subcall function 00007FFE01324DD0: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324DF9
                                                                    • Part of subcall function 00007FFE01324DD0: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324E28
                                                                    • Part of subcall function 00007FFE01324DD0: memmove.VCRUNTIME140(?,?,00000000,00007FFE01336AB5,?,?,?,?,?,?,?,?,?,00007FFE0133A96E), ref: 00007FFE01324E3F
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE01326A0A
                                                                  Strings
                                                                  • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE01326A15
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$Getdaysmallocmemmove
                                                                  • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                  • API String ID: 2126063425-3283725177
                                                                  • Opcode ID: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                  • Instruction ID: 864963335130c66d6b7c9ae900a77d0e6a8eee16571ddc2cfe7375c50be4e5ca
                                                                  • Opcode Fuzzy Hash: d7c45e6467b4b0c6c3d92c6c630186995f40c112a9e553bbb50bfe941e4a602f
                                                                  • Instruction Fuzzy Hash: 1AE0ED22A15B4292EF249B12F58536963A0EF58BA4F955134DA0D0BB65DF3CE4A48700
                                                                  Function 00007FFE01326330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _Getmonths.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE0132633D
                                                                    • Part of subcall function 00007FFE01324D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D72
                                                                    • Part of subcall function 00007FFE01324D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D98
                                                                    • Part of subcall function 00007FFE01324D50: memmove.VCRUNTIME140(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324DB0
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE0132635A
                                                                  Strings
                                                                  • :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December, xrefs: 00007FFE01326365
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$Getmonthsmallocmemmove
                                                                  • String ID: :Jan:January:Feb:February:Mar:March:Apr:April:May:May:Jun:June:Jul:July:Aug:August:Sep:September:Oct:October:Nov:November:Dec:December
                                                                  • API String ID: 794196016-4232081075
                                                                  • Opcode ID: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                  • Instruction ID: 1419420998231087c90090aa68846d3e23167ab2ec1710adb362fc76efeed675
                                                                  • Opcode Fuzzy Hash: ed084fae94afa21b919f43624ebef8cf161b3b61c5abe0357020c1cb6bd20feb
                                                                  • Instruction Fuzzy Hash: C7E0C222A19B4292EF14AB12F58936963A0EF58B90F895034DA1D0A765DF3CE4E4C780
                                                                  Function 00007FFE013262C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _Getdays.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FFE013262CD
                                                                    • Part of subcall function 00007FFE01324D50: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D72
                                                                    • Part of subcall function 00007FFE01324D50: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324D98
                                                                    • Part of subcall function 00007FFE01324D50: memmove.VCRUNTIME140(?,?,?,00007FFE01332124,?,?,?,00007FFE013243DB,?,?,?,00007FFE01325B31), ref: 00007FFE01324DB0
                                                                  • free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FFE013262EA
                                                                  Strings
                                                                  • :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday, xrefs: 00007FFE013262F5
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free$Getdaysmallocmemmove
                                                                  • String ID: :Sun:Sunday:Mon:Monday:Tue:Tuesday:Wed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
                                                                  • API String ID: 2126063425-3283725177
                                                                  • Opcode ID: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                  • Instruction ID: c5ab8ffa06afc2ba3e7e2acd41b32f3d939cbd6c03868198feb3ca3f502e037d
                                                                  • Opcode Fuzzy Hash: a04edf8c09a9591475f60b3d70615b483377bc7e811a615235a619ef21bdc5d2
                                                                  • Instruction Fuzzy Hash: 78E0ED21A14B8292EB189B12F594369A3A4FF58B90F859434DA1D0B765EF3CE4A48700
                                                                  Function 0000000140012990 Relevance: 5.1, APIs: 4, Instructions: 105COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow
                                                                  • String ID:
                                                                  • API String ID: 432778473-0
                                                                  • Opcode ID: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                  • Instruction ID: 3f6ef9a8942bd25f1c030384d86529519749b139d31aef7b6ed3ba5bf9942206
                                                                  • Opcode Fuzzy Hash: d9bb2bc8e21e590b3fd8fc0242846147083d30a74871389f14427f3348973e5f
                                                                  • Instruction Fuzzy Hash: 582153B6610A8489E729EE37E8523E92311F78C7D8F149426BF4D4FBAECE31C4518340
                                                                  Function 00000001400124D0 Relevance: 5.1, APIs: 4, Instructions: 77COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1911369253.0000000140001000.00000020.00000001.01000000.00000007.sdmp, Offset: 0000000140000000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1911343209.0000000140000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911398895.0000000140013000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911445762.000000014001A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1911475086.000000014001B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_140000000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
                                                                  • String ID:
                                                                  • API String ID: 2822070131-0
                                                                  • Opcode ID: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                  • Instruction ID: fb8aed582c15149af4c4f009e579fb1eee3dc1aedb4e9a74b926e9b9865ab3f7
                                                                  • Opcode Fuzzy Hash: 30ed3b25f5ea98c469b603825ace0e1aecbe3e4cfdbff60b42ce3570a35d7577
                                                                  • Instruction Fuzzy Hash: 331151B5710A40C9E71DEB73A8423EA1211EB887C4F149536BF480BA6ECE76C4518740
                                                                  Function 00007FFE1A4E33DC Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00007FFE1A4E329D,?,?,?,?,00007FFE1A4E411A,?,?,?,?,?), ref: 00007FFE1A4E33FB
                                                                  • SetLastError.KERNEL32(?,?,?,00007FFE1A4E329D,?,?,?,?,00007FFE1A4E411A,?,?,?,?,?), ref: 00007FFE1A4E3483
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912475627.00007FFE1A4E1000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00007FFE1A4E0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912455125.00007FFE1A4E0000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912497165.00007FFE1A4E5000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912522337.00007FFE1A4E8000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912540672.00007FFE1A4E9000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4e0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1452528299-0
                                                                  • Opcode ID: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                                  • Instruction ID: 4d1d4926a6b2a697a332b4ca7be775b8b82b177cf78f17e8cddbacc70940df08
                                                                  • Opcode Fuzzy Hash: 945a849ef1e4ef306028dce5c92f669efe6900a2f555f55e0f0d86f2d5e2500a
                                                                  • Instruction Fuzzy Hash: BE110061F09E5252FA169727E84013962A1AF44FB0F184AF6D92E077F5DF3CB4618750
                                                                  Function 00007FFE1A4F672C Relevance: 5.1, APIs: 4, Instructions: 53COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(?,?,?,00007FFE1A4F65B9,?,?,?,?,00007FFE1A4FFB22,?,?,?,?,?), ref: 00007FFE1A4F674B
                                                                  • SetLastError.KERNEL32(?,?,?,00007FFE1A4F65B9,?,?,?,?,00007FFE1A4FFB22,?,?,?,?,?), ref: 00007FFE1A4F67D4
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912572171.00007FFE1A4F1000.00000020.00000001.01000000.0000000A.sdmp, Offset: 00007FFE1A4F0000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912556914.00007FFE1A4F0000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912601145.00007FFE1A501000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912620284.00007FFE1A506000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912648959.00007FFE1A507000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe1a4f0000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast
                                                                  • String ID:
                                                                  • API String ID: 1452528299-0
                                                                  • Opcode ID: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                  • Instruction ID: 9e9d3f58f461709ec398e77d9791204613ddd72cef12cdda7758cc77948afaa6
                                                                  • Opcode Fuzzy Hash: c7aaac8a80d8b30c274ca3e3b7c59e83a4e0092024cc1b5b0b7c72c8c7be0031
                                                                  • Instruction Fuzzy Hash: C2119024F0CE9282FA14873BA91427862D2AF49FB1F1456F7D96E037F5DE6CA8618710
                                                                  Function 00007FFE01351DB0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                  • Instruction ID: 9dc58a13298ee35da88b56238b41324a2337509d4d197200033bda599ab42acc
                                                                  • Opcode Fuzzy Hash: 852486122cb00080b5639f704aaa7e58ef1ce462034cf21ce9216cf11b249809
                                                                  • Instruction Fuzzy Hash: 8DF0F936B58B4292FB699B16E9A42787360FF88F90F554031CA4D4BB70DF7DE4A58300
                                                                  Function 00007FFE01338C60 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                  • Instruction ID: c52801333a0b0334e2c8b178acc95880a26d429d396390d4f17e362709f9e79f
                                                                  • Opcode Fuzzy Hash: 182715280df3fc40601814c5744512493e6f35ef29a5c1ca4ed224eda537194d
                                                                  • Instruction Fuzzy Hash: 79F0E732A59B8296FB699B16E9A42687360FF88F90F154031DA4D4BB70DF6CE4A58300
                                                                  Function 00007FFE01338CD0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                  • Instruction ID: 94e1c5767c3f2f9e651aeab7d3583a1e7ecd0e98b0b35e1eb40b68615d4a41df
                                                                  • Opcode Fuzzy Hash: a847ff6ca7fe839d6cc9187651e3f3298f1fa2e3cccaa43c942698b5ae7eda73
                                                                  • Instruction Fuzzy Hash: 6FF0FF31B58B4292FB549B15E9942787360FF88F90F154031DA4D4BB74DF7CE4A58300
                                                                  Function 00007FFE01338A08 Relevance: 5.0, APIs: 4, Instructions: 16COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 0000000C.00000002.1912272012.00007FFE01321000.00000020.00000001.01000000.00000009.sdmp, Offset: 00007FFE01320000, based on PE: true
                                                                  • Associated: 0000000C.00000002.1912249444.00007FFE01320000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912307499.00007FFE01375000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912334265.00007FFE013A3000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912351745.00007FFE013A4000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                  • Associated: 0000000C.00000002.1912432108.00007FFE013A7000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_12_2_7ffe01320000_ImporterREDServer.jbxd
                                                                  Similarity
                                                                  • API ID: free
                                                                  • String ID:
                                                                  • API String ID: 1294909896-0
                                                                  • Opcode ID: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                  • Instruction ID: 7686b17d13fa727a602391363d86a327fa2dbd8348e06670e0b59a44f8d292de
                                                                  • Opcode Fuzzy Hash: 6450893b12e4e8d3ba59de380ae1c872c3a05a801a1968db1460924bde307dc7
                                                                  • Instruction Fuzzy Hash: 6EE02666E55B4182FF289F22D8A41386374FF98F59F1A1132CE1E4A274DE6CD8958304